Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    150s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240709-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/07/2024, 02:05

General

  • Target

    Venom RAT + HVNC + Stealer + Grabber.exe

  • Size

    6.8MB

  • MD5

    03aa135fd7386c36c636dd780f579d68

  • SHA1

    58efdd2ed92f8c63ea1409fb3a42164beeb14d9f

  • SHA256

    de7c7e2bd5041a2dfa106083d5742b29d0ae6b2a215f6d9a8407a82add97fbb0

  • SHA512

    e6b54eb7743329d20a6b75d41971a96f694273586f5c7a91a32ed363df23f94914ec1d979852e2e524c3f852766154f994780de3f8ed526c8154827e5c6a73b7

  • SSDEEP

    196608:OFy4Ju//4s1xnnDQhuWUx+BKwWS+YdU30DR7Z:eBu4gnDFuESSED7

Malware Config

Extracted

Family

asyncrat

Version

Venom RAT + HVNC + Stealer + Grabber v6.0.3

Botnet

Discord

C2

181.47.208.50:4449

Mutex

yqhbuwfankgiktwqwmr

Attributes
  • delay

    1

  • install

    true

  • install_file

    Microsoft Update.exe

  • install_folder

    %AppData%

aes.plain

Signatures

  • AsyncRat

    AsyncRAT is designed to remotely monitor and control other computers written in C#.

  • Async RAT payload 1 IoCs
  • Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

  • Checks computer location settings 2 TTPs 64 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 64 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 8 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 9 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 41 IoCs
  • Suspicious use of SendNotifyMessage 41 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:684
    • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
      2⤵
      • Checks computer location settings
      • Suspicious use of WriteProcessMemory
      PID:4008
      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
        3⤵
        • Checks computer location settings
        • Suspicious use of WriteProcessMemory
        PID:212
        • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
          "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:1824
          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:3716
            • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
              "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
              6⤵
              • Suspicious use of WriteProcessMemory
              PID:1348
              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                7⤵
                • Checks computer location settings
                PID:4564
                • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                  "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                  8⤵
                  • Checks computer location settings
                  PID:3652
                  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                    9⤵
                    • Checks computer location settings
                    PID:4360
                    • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                      10⤵
                      • Checks computer location settings
                      PID:924
                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                        11⤵
                          PID:3696
                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                            12⤵
                            • Checks computer location settings
                            PID:2580
                            • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                              "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                              13⤵
                                PID:1952
                                • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                  "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                  14⤵
                                    PID:4292
                                    • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                      15⤵
                                      • Checks computer location settings
                                      PID:2860
                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                        16⤵
                                        • Checks computer location settings
                                        PID:3492
                                        • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                          "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                          17⤵
                                            PID:3324
                                            • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                              "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                              18⤵
                                              • Checks computer location settings
                                              PID:3292
                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                19⤵
                                                  PID:4484
                                                  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                    20⤵
                                                      PID:3520
                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                        21⤵
                                                          PID:4976
                                                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                            22⤵
                                                              PID:4116
                                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                23⤵
                                                                • Checks computer location settings
                                                                PID:3408
                                                                • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                  "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                  24⤵
                                                                    PID:4544
                                                                    • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                      25⤵
                                                                      • Checks computer location settings
                                                                      PID:404
                                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                        26⤵
                                                                        • Checks computer location settings
                                                                        PID:2724
                                                                        • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                          "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                          27⤵
                                                                            PID:2396
                                                                            • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                              "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                              28⤵
                                                                              • Checks computer location settings
                                                                              PID:2924
                                                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                29⤵
                                                                                  PID:1052
                                                                                  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                    30⤵
                                                                                      PID:4752
                                                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                        31⤵
                                                                                          PID:2772
                                                                                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                            32⤵
                                                                                              PID:2756
                                                                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                33⤵
                                                                                                • Checks computer location settings
                                                                                                PID:3132
                                                                                                • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                  34⤵
                                                                                                    PID:4140
                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                      35⤵
                                                                                                      • Checks computer location settings
                                                                                                      PID:4048
                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                        36⤵
                                                                                                        • Checks computer location settings
                                                                                                        PID:888
                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                          37⤵
                                                                                                          • Checks computer location settings
                                                                                                          PID:2384
                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                            38⤵
                                                                                                              PID:1668
                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                39⤵
                                                                                                                  PID:2268
                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                    40⤵
                                                                                                                      PID:3944
                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                        41⤵
                                                                                                                          PID:3764
                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                            42⤵
                                                                                                                              PID:2024
                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                43⤵
                                                                                                                                  PID:4304
                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                    44⤵
                                                                                                                                      PID:212
                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                        45⤵
                                                                                                                                        • Checks computer location settings
                                                                                                                                        PID:2832
                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                          46⤵
                                                                                                                                          • Checks computer location settings
                                                                                                                                          PID:1768
                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                            47⤵
                                                                                                                                            • Checks computer location settings
                                                                                                                                            PID:3432
                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                              48⤵
                                                                                                                                              • Checks computer location settings
                                                                                                                                              PID:3916
                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                49⤵
                                                                                                                                                  PID:2180
                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                    50⤵
                                                                                                                                                    • Checks computer location settings
                                                                                                                                                    PID:3176
                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                      51⤵
                                                                                                                                                      • Checks computer location settings
                                                                                                                                                      PID:452
                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                        52⤵
                                                                                                                                                          PID:448
                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                            53⤵
                                                                                                                                                            • Checks computer location settings
                                                                                                                                                            PID:4580
                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                              54⤵
                                                                                                                                                                PID:3356
                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                  55⤵
                                                                                                                                                                    PID:3708
                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                      56⤵
                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                      PID:2524
                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                        57⤵
                                                                                                                                                                          PID:3384
                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                            58⤵
                                                                                                                                                                              PID:4304
                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                59⤵
                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                PID:932
                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                  60⤵
                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                  PID:3632
                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                    61⤵
                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                    PID:1924
                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                      62⤵
                                                                                                                                                                                        PID:5028
                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                          63⤵
                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                          PID:4508
                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                            64⤵
                                                                                                                                                                                              PID:2176
                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                                65⤵
                                                                                                                                                                                                  PID:3044
                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                                    66⤵
                                                                                                                                                                                                      PID:3520
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Venom RAT + HVNC + Stealer + Grabber.exe"
                                                                                                                                                                                                        67⤵
                                                                                                                                                                                                          PID:1176
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                          67⤵
                                                                                                                                                                                                            PID:1060
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                          66⤵
                                                                                                                                                                                                            PID:4008
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                              67⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              PID:2472
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                          65⤵
                                                                                                                                                                                                            PID:2868
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                              66⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              PID:2180
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                              66⤵
                                                                                                                                                                                                                PID:1872
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                            64⤵
                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                            PID:2244
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                              65⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              PID:3984
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                              65⤵
                                                                                                                                                                                                                PID:4844
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                            63⤵
                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                            PID:2040
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                              64⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              PID:2260
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                              64⤵
                                                                                                                                                                                                                PID:1788
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                            62⤵
                                                                                                                                                                                                            • Checks computer location settings
                                                                                                                                                                                                            PID:5036
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                              63⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              PID:448
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                              63⤵
                                                                                                                                                                                                                PID:1420
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                            61⤵
                                                                                                                                                                                                              PID:4224
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                62⤵
                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                PID:2556
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                62⤵
                                                                                                                                                                                                                  PID:2416
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                              60⤵
                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                              PID:4856
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                61⤵
                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                PID:3708
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                61⤵
                                                                                                                                                                                                                  PID:1960
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                              59⤵
                                                                                                                                                                                                                PID:4768
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                  60⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  PID:4728
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                  60⤵
                                                                                                                                                                                                                    PID:880
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                58⤵
                                                                                                                                                                                                                  PID:4692
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                    59⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    PID:3992
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                    59⤵
                                                                                                                                                                                                                      PID:3328
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                  57⤵
                                                                                                                                                                                                                    PID:4108
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                      58⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      PID:4592
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                      58⤵
                                                                                                                                                                                                                        PID:1380
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                    56⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    PID:1432
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                      57⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      PID:3304
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                      57⤵
                                                                                                                                                                                                                        PID:4524
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                    55⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    PID:548
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      PID:4840
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                      56⤵
                                                                                                                                                                                                                        PID:1820
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                    54⤵
                                                                                                                                                                                                                      PID:3364
                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                        55⤵
                                                                                                                                                                                                                          PID:2560
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                          55⤵
                                                                                                                                                                                                                            PID:1864
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                        53⤵
                                                                                                                                                                                                                          PID:2532
                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                            54⤵
                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                            PID:3876
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                            54⤵
                                                                                                                                                                                                                              PID:1132
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                          52⤵
                                                                                                                                                                                                                          • Checks computer location settings
                                                                                                                                                                                                                          PID:2260
                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                            53⤵
                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                            PID:4964
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                            53⤵
                                                                                                                                                                                                                              PID:3008
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                          51⤵
                                                                                                                                                                                                                            PID:2012
                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                              52⤵
                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                              PID:2380
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                              52⤵
                                                                                                                                                                                                                                PID:2848
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                            50⤵
                                                                                                                                                                                                                              PID:4308
                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                51⤵
                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                PID:644
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                51⤵
                                                                                                                                                                                                                                  PID:3912
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                              49⤵
                                                                                                                                                                                                                                PID:4564
                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                  50⤵
                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                  PID:872
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                  50⤵
                                                                                                                                                                                                                                    PID:2416
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                48⤵
                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                PID:1408
                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                  49⤵
                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                  PID:3368
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                  49⤵
                                                                                                                                                                                                                                    PID:1880
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                47⤵
                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                PID:4324
                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                  48⤵
                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                  PID:392
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                  48⤵
                                                                                                                                                                                                                                    PID:4588
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                46⤵
                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                PID:704
                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                  47⤵
                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                  PID:4416
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                  47⤵
                                                                                                                                                                                                                                    PID:4944
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                45⤵
                                                                                                                                                                                                                                  PID:4360
                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                    46⤵
                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                    PID:1692
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                    46⤵
                                                                                                                                                                                                                                    • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                                                    PID:3108
                                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                                                      47⤵
                                                                                                                                                                                                                                        PID:3212
                                                                                                                                                                                                                                        • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                          schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                                          48⤵
                                                                                                                                                                                                                                          • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                          PID:4980
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                  44⤵
                                                                                                                                                                                                                                    PID:680
                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                      45⤵
                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                      PID:1596
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                      45⤵
                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                      PID:4724
                                                                                                                                                                                                                                      • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                                                        46⤵
                                                                                                                                                                                                                                          PID:3680
                                                                                                                                                                                                                                          • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                            schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                                            47⤵
                                                                                                                                                                                                                                            • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                            PID:4420
                                                                                                                                                                                                                                        • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                          C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp213A.tmp.bat""
                                                                                                                                                                                                                                          46⤵
                                                                                                                                                                                                                                            PID:1364
                                                                                                                                                                                                                                            • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                              timeout 3
                                                                                                                                                                                                                                              47⤵
                                                                                                                                                                                                                                              • Delays execution with timeout.exe
                                                                                                                                                                                                                                              PID:4608
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
                                                                                                                                                                                                                                              47⤵
                                                                                                                                                                                                                                                PID:932
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                        43⤵
                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                        PID:2368
                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                          44⤵
                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                          PID:3904
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                          44⤵
                                                                                                                                                                                                                                            PID:4856
                                                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                                                              45⤵
                                                                                                                                                                                                                                                PID:5000
                                                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                                                  schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                                                  46⤵
                                                                                                                                                                                                                                                  • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                                                  PID:844
                                                                                                                                                                                                                                              • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                                                C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmp191C.tmp.bat""
                                                                                                                                                                                                                                                45⤵
                                                                                                                                                                                                                                                  PID:1484
                                                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                                                    timeout 3
                                                                                                                                                                                                                                                    46⤵
                                                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                                                    PID:804
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
                                                                                                                                                                                                                                                    46⤵
                                                                                                                                                                                                                                                      PID:1232
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                              42⤵
                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                              PID:3000
                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                43⤵
                                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                PID:1564
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                43⤵
                                                                                                                                                                                                                                                  PID:4592
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                              41⤵
                                                                                                                                                                                                                                                PID:644
                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                  42⤵
                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                  PID:2860
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                  42⤵
                                                                                                                                                                                                                                                    PID:452
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                40⤵
                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                PID:1692
                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                  41⤵
                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                  PID:804
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                  41⤵
                                                                                                                                                                                                                                                    PID:2740
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                39⤵
                                                                                                                                                                                                                                                  PID:3520
                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                    40⤵
                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                    PID:5112
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                    40⤵
                                                                                                                                                                                                                                                      PID:4400
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                  38⤵
                                                                                                                                                                                                                                                    PID:536
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                      39⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      PID:620
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                      39⤵
                                                                                                                                                                                                                                                        PID:4224
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                    37⤵
                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                    PID:2848
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                      38⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      PID:1232
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                      38⤵
                                                                                                                                                                                                                                                        PID:5040
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                    36⤵
                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                    PID:3432
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                      37⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      PID:3632
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                      37⤵
                                                                                                                                                                                                                                                        PID:2892
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                    35⤵
                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                    PID:944
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                      36⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      PID:4860
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                      36⤵
                                                                                                                                                                                                                                                        PID:244
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                    34⤵
                                                                                                                                                                                                                                                      PID:3416
                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                        35⤵
                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                        PID:3676
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                        35⤵
                                                                                                                                                                                                                                                          PID:5000
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                      33⤵
                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                      PID:4840
                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                        34⤵
                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                        PID:740
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                        34⤵
                                                                                                                                                                                                                                                          PID:2748
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                      32⤵
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      PID:3876
                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                        33⤵
                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                        PID:3896
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                        33⤵
                                                                                                                                                                                                                                                          PID:1952
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                                      • Checks computer location settings
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      PID:3628
                                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                        32⤵
                                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                        PID:908
                                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                        32⤵
                                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                                        PID:4456
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    PID:1176
                                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                      PID:548
                                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                      31⤵
                                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                                      PID:3900
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                  29⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  PID:4912
                                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                    PID:4048
                                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                    30⤵
                                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                                    PID:1772
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                                28⤵
                                                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                PID:620
                                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                  29⤵
                                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                  PID:4888
                                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                  29⤵
                                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                                  PID:1692
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                              27⤵
                                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                              PID:4104
                                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                                28⤵
                                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                                PID:1524
                                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                                28⤵
                                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                                PID:4568
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            PID:1376
                                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                              27⤵
                                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                              PID:3048
                                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                              27⤵
                                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                              PID:4292
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          PID:5044
                                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                            PID:4896
                                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                            26⤵
                                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                            PID:3628
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                        24⤵
                                                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        PID:4812
                                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                          PID:1560
                                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                          25⤵
                                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                          PID:4360
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                      23⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      PID:3196
                                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                        24⤵
                                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:4888
                                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                        24⤵
                                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                        PID:4948
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    PID:1420
                                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                      23⤵
                                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                      PID:1956
                                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                      23⤵
                                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                      PID:1752
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                  21⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  PID:4376
                                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                    PID:4408
                                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                    22⤵
                                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                    PID:3716
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                PID:1448
                                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                  21⤵
                                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:412
                                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                  21⤵
                                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                  PID:64
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              PID:2620
                                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                PID:3068
                                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                                20⤵
                                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                                PID:3944
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                            18⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            PID:2256
                                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:680
                                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                              19⤵
                                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                              PID:1256
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          PID:4864
                                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                            18⤵
                                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                            PID:1424
                                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                            18⤵
                                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                            PID:4564
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        PID:4072
                                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                          PID:4376
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                          17⤵
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                          PID:4140
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      PID:4836
                                                                                                                                                                                                                      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                        • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        PID:620
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                        16⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        PID:3064
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    PID:3876
                                                                                                                                                                                                                    • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                      • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:2040
                                                                                                                                                                                                                    • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                      "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                      15⤵
                                                                                                                                                                                                                      • Executes dropped EXE
                                                                                                                                                                                                                      • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                      PID:1940
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  PID:1180
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2396
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                    14⤵
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2356
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                PID:1552
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:1540
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                  13⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:3820
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              PID:2152
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:2796
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                12⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:1204
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            PID:4960
                                                                                                                                                                                                            • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                              "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                              • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:4116
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                              11⤵
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                              PID:244
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          PID:1560
                                                                                                                                                                                                          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                            • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:1536
                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                            "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                            • Executes dropped EXE
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            PID:4984
                                                                                                                                                                                                      • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                        "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                        • Checks computer location settings
                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                        PID:4696
                                                                                                                                                                                                        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                          • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          PID:1180
                                                                                                                                                                                                        • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                          "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                          • Suspicious use of SetWindowsHookEx
                                                                                                                                                                                                          PID:1108
                                                                                                                                                                                                          • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                            "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                            10⤵
                                                                                                                                                                                                              PID:2040
                                                                                                                                                                                                              • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                11⤵
                                                                                                                                                                                                                • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                PID:1424
                                                                                                                                                                                                            • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                              "C:\Windows\System32\cmd.exe" /c schtasks /delete /f /tn "Client"
                                                                                                                                                                                                              10⤵
                                                                                                                                                                                                                PID:536
                                                                                                                                                                                                                • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                  schtasks /delete /f /tn "Client"
                                                                                                                                                                                                                  11⤵
                                                                                                                                                                                                                    PID:892
                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpEAC.tmp.bat""
                                                                                                                                                                                                                  10⤵
                                                                                                                                                                                                                    PID:2424
                                                                                                                                                                                                                    • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                      timeout 3
                                                                                                                                                                                                                      11⤵
                                                                                                                                                                                                                      • Delays execution with timeout.exe
                                                                                                                                                                                                                      PID:1628
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                              7⤵
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              PID:4408
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:1564
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                8⤵
                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:744
                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                                  9⤵
                                                                                                                                                                                                                    PID:2088
                                                                                                                                                                                                                    • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                      schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                      10⤵
                                                                                                                                                                                                                      • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                      PID:3944
                                                                                                                                                                                                                  • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.bat""
                                                                                                                                                                                                                    9⤵
                                                                                                                                                                                                                      PID:2060
                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                        timeout 3
                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                                                                                        PID:1932
                                                                                                                                                                                                                      • C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
                                                                                                                                                                                                                        "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
                                                                                                                                                                                                                        10⤵
                                                                                                                                                                                                                        • Executes dropped EXE
                                                                                                                                                                                                                        • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                        PID:2052
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                6⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                PID:2620
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:5000
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                  7⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:2004
                                                                                                                                                                                                                  • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                                    8⤵
                                                                                                                                                                                                                      PID:4620
                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                        9⤵
                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                        PID:4592
                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpCF37.tmp.bat""
                                                                                                                                                                                                                      8⤵
                                                                                                                                                                                                                        PID:4484
                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                          timeout 3
                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                          PID:4200
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
                                                                                                                                                                                                                          9⤵
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                          PID:2808
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                  5⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                  PID:1464
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:2996
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                    6⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                    PID:2020
                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                      PID:2388
                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                        8⤵
                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                        PID:436
                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpC61F.tmp.bat""
                                                                                                                                                                                                                      7⤵
                                                                                                                                                                                                                        PID:4584
                                                                                                                                                                                                                        • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                          timeout 3
                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                          • Delays execution with timeout.exe
                                                                                                                                                                                                                          PID:4948
                                                                                                                                                                                                                        • C:\Users\Admin\AppData\Roaming\Microsoft Update.exe
                                                                                                                                                                                                                          "C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"
                                                                                                                                                                                                                          8⤵
                                                                                                                                                                                                                          • Executes dropped EXE
                                                                                                                                                                                                                          • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                          PID:2116
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                  • Checks computer location settings
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                  PID:4072
                                                                                                                                                                                                                  • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                    • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    PID:3540
                                                                                                                                                                                                                  • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                    "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                    • Checks computer location settings
                                                                                                                                                                                                                    • Executes dropped EXE
                                                                                                                                                                                                                    • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                    • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                    • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                    PID:1880
                                                                                                                                                                                                                    • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                      "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                      PID:784
                                                                                                                                                                                                                      • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                        schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                        • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                        PID:1756
                                                                                                                                                                                                                    • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                      C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBAB5.tmp.bat""
                                                                                                                                                                                                                      6⤵
                                                                                                                                                                                                                      • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                      PID:704
                                                                                                                                                                                                                      • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                        timeout 3
                                                                                                                                                                                                                        7⤵
                                                                                                                                                                                                                        • Delays execution with timeout.exe
                                                                                                                                                                                                                        PID:852
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Checks computer location settings
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                PID:220
                                                                                                                                                                                                                • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                  • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                  • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:64
                                                                                                                                                                                                                • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                  "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                  • Executes dropped EXE
                                                                                                                                                                                                                  • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                  PID:400
                                                                                                                                                                                                            • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe
                                                                                                                                                                                                              "C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe"
                                                                                                                                                                                                              2⤵
                                                                                                                                                                                                              • Checks computer location settings
                                                                                                                                                                                                              • Executes dropped EXE
                                                                                                                                                                                                              • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                              PID:2040
                                                                                                                                                                                                              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                                                                                                                                                                                                                "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Client.exe'
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Command and Scripting Interpreter: PowerShell
                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                PID:2368
                                                                                                                                                                                                              • C:\Users\Admin\AppData\Local\Temp\Client.exe
                                                                                                                                                                                                                "C:\Users\Admin\AppData\Local\Temp\Client.exe"
                                                                                                                                                                                                                3⤵
                                                                                                                                                                                                                • Executes dropped EXE
                                                                                                                                                                                                                • Suspicious behavior: EnumeratesProcesses
                                                                                                                                                                                                                • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                                • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                PID:5064
                                                                                                                                                                                                                • C:\Windows\System32\cmd.exe
                                                                                                                                                                                                                  "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"' & exit
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                  PID:2636
                                                                                                                                                                                                                  • C:\Windows\system32\schtasks.exe
                                                                                                                                                                                                                    schtasks /create /f /sc onlogon /rl highest /tn "Microsoft Update" /tr '"C:\Users\Admin\AppData\Roaming\Microsoft Update.exe"'
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                    • Scheduled Task/Job: Scheduled Task
                                                                                                                                                                                                                    PID:4964
                                                                                                                                                                                                                • C:\Windows\system32\cmd.exe
                                                                                                                                                                                                                  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpAF0C.tmp.bat""
                                                                                                                                                                                                                  4⤵
                                                                                                                                                                                                                  • Suspicious use of WriteProcessMemory
                                                                                                                                                                                                                  PID:4520
                                                                                                                                                                                                                  • C:\Windows\system32\timeout.exe
                                                                                                                                                                                                                    timeout 3
                                                                                                                                                                                                                    5⤵
                                                                                                                                                                                                                    • Delays execution with timeout.exe
                                                                                                                                                                                                                    PID:1412
                                                                                                                                                                                                          • C:\Windows\system32\taskmgr.exe
                                                                                                                                                                                                            "C:\Windows\system32\taskmgr.exe" /4
                                                                                                                                                                                                            1⤵
                                                                                                                                                                                                            • Checks SCSI registry key(s)
                                                                                                                                                                                                            • Suspicious use of AdjustPrivilegeToken
                                                                                                                                                                                                            • Suspicious use of FindShellTrayWindow
                                                                                                                                                                                                            • Suspicious use of SendNotifyMessage
                                                                                                                                                                                                            PID:3420

                                                                                                                                                                                                          Network

                                                                                                                                                                                                          MITRE ATT&CK Enterprise v15

                                                                                                                                                                                                          Replay Monitor

                                                                                                                                                                                                          Loading Replay Monitor...

                                                                                                                                                                                                          Downloads

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Client.exe.log

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            1KB

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            baf55b95da4a601229647f25dad12878

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            abc16954ebfd213733c4493fc1910164d825cac8

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\Venom RAT + HVNC + Stealer + Grabber.exe.log

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            654B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            2ff39f6c7249774be85fd60a8f9a245e

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            684ff36b31aedc1e587c8496c02722c6698c1c4e

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            e1b91642d85d98124a6a31f710e137ab7fd90dec30e74a05ab7fcf3b7887dced

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            1d7e8b92ef4afd463d62cfa7e8b9d1799db5bf2a263d3cd7840df2e0a1323d24eb595b5f8eb615c6cb15f9e3a7b4fc99f8dd6a3d34479222e966ec708998aed1

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            2KB

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            d85ba6ff808d9e5444a4b369f5bc2730

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            31aa9d96590fff6981b315e0b391b575e4c0804a

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            2744acde55ac66031f3c2bb05c328933

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            6e088a0185664f0c73ab61c70cdb98270e71cfa4

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            a2fdbffc4a1ca20c5e76ea0865799b48cfda2f593c6396499e968efa29e37634

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            c42e709892bd3b8a81398fa43fddde8148cc135ee09e8e70270858498c63d8ff3697d779df6aff82edd9eedfa914a6b6ed0c5c8f901301b3e5d13e377fd6d90f

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            da5c82b0e070047f7377042d08093ff4

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            89d05987cd60828cca516c5c40c18935c35e8bd3

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            77a94ef8c4258445d538a6006ffadb05afdf888f6f044e1e5466b981a07f16c5

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            7360311a3c97b73dd3f6d7179cd979e0e20d69f380d38292447e17e369087d9dd5acb66cd0cbdd95ac4bfb16e5a1b86825f835a8d45b14ea9812102cff59704b

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            a2c8179aaa149c0b9791b73ce44c04d1

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            703361b0d43ec7f669304e7c0ffbbfdeb1e484ff

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            c1d30342a40a2b6e7553da30ceb85754d33820f6fbb3bbbed1ceb30d6390de4a

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            2e201dd457d055baad86f68c15bcc7beb48d6dc2ffc10db7f304eb93f697e7b45991cbde857d25da2c9c60c23f3e13df8b5ed5809c1753737a23096e296cc9e3

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            ef647504cf229a16d02de14a16241b90

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            81480caca469857eb93c75d494828b81e124fda0

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            47002672443e80410e55a0b6d683573ac27d70d803b57ee3c2818d1008669710

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            a6d8c08c708eee6f7e700880ce79d2ba7cd0acbe8529d96e18f3e90ea1f3cf33fd801dd6eba6017cdd02769e968c48278c090c1deeac710124f79423cd862ee1

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            ba169f4dcbbf147fe78ef0061a95e83b

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            92a571a6eef49fff666e0f62a3545bcd1cdcda67

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            5ef1421e19fde4bc03cd825dd7d6c0e7863f85fd8f0aa4a4d4f8d555dc7606d1

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            8d2e5e552210dcda684682538bc964fdd8a8ff5b24cc2cc8af813729f0202191f98eb42d38d2355df17ae620fe401aad6ceaedaed3b112fdacd32485a3a0c07c

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            2356e37ccd79ba772a49888c37a84565

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            a1a2fc32970d77611f4204f825e2c9c14b5b02a5

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            51ee7b30e217d66218396770f94327d4ec8fb02e9199466666cad388811c6bdf

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            5a9ddfa2428c70e9d5af62674002223ed07d1a2785a5a73c4124acb29f011f12c88e8175c74844958c0cd78fd8d36ad9a12bf1e202d67c545610a4aeb47152b4

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            b7189719e6df2c3dfc76197ec3f31f7a

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            effd91412deadc87cc10ef76cdecc1e0b54b6d41

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            1c72fa37d078b92c7e900b2e3d17c43c34d936a696a8ddf6c519f4a80308b892

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            2df1f1d45844da7ffb17cdfb411f223e9c614c00f5cf7eb5ba92bf7ba174875af2a515371208286c95c0479c934ae2c6a83dfc0b54380be89db1eddd19faf978

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            caae66b2d6030f85188e48e4ea3a9fa6

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            108425bd97144fa0f92ff7b2109fec293d14a461

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            a6c642eaf80247e9682be60ab5ae9ece4d042af56013d164d8047b6fd1aefa1d

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            189119a2390e51a49ea0fb8ad1427279cc2bf85f220f3212957c50b33387623b42ab7736fb5a717757b5c4b99c570e7ed2e5e6a578424aafb5c126cdf129ea15

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            d8cb3e9459807e35f02130fad3f9860d

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            5af7f32cb8a30e850892b15e9164030a041f4bd6

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            2b139c74072ccbdaa17b950f32a6dbc934dfb7af9973d97c9b0d9c498012ba68

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            045239ba31367fbdd59e883f74eafc05724e23bd6e8f0c1e7171ea2496a497eb9e0cfcb57285bb81c4d569daadba43d6ef64c626ca48f1e2a59e8d97f0cc9184

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            6d42b6da621e8df5674e26b799c8e2aa

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            ab3ce1327ea1eeedb987ec823d5e0cb146bafa48

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            5ab6a1726f425c6d0158f55eb8d81754ddedd51e651aa0a899a29b7a58619c4c

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            53faffbda8a835bc1143e894c118c15901a5fd09cfc2224dd2f754c06dc794897315049a579b9a8382d4564f071576045aaaf824019b7139d939152dca38ce29

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            944B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            f8fe7584164edcdbe4299d351d7faa88

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            cb2d2ed13ec6c9dd87eaf16b76bf164de48dca22

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            d7a6457635a7c8b2614f5b0662c8e21d49813426c085158c53d5073d8bd1e1bf

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            f3a7d1b1cfe5832d8dc72a903bfedbb1de08a4ca894c51810753b382da75d6cb4704d1eaaf5e0eb660604951909682c6ae18273452f04f4ba6a3e1407237613b

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Client.exe

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            144KB

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            735308830d5d034971c6010708d8e86a

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            7e6b2ad74f5b3f94c01bd0b12641a009f503fefa

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            103b6e19cf47fe2f3e28f1ad2a12ddcf34287d30e0e887f9907086de379864de

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            bb51f8b1166af8a827bc6559710329938b07f1663ee7fadd782f56913c51719de65b028371d64f063e970ede14b857bcddd24f7f60c56aa7899a74a338f7c3ae

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\Microsoft Update.exe

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            163KB

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            39ec49dbf7fb74a21606065f713cd881

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            9ddaedd9c820b2fad1534a65bed5d61611838468

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            b834c4796e9073fcf3e9eccfa7034b26fc0ea94783ce111221a6b44f9e015e14

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            12d24d9a79b882d4d54e42eca8673c6d78de7e6800d77ea5535deeeafa7448c0525bba767e69c1755dd36258724d7d583d121b0e9e97590925d5772f59e2f96f

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vahm1kko.kcr.ps1

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            60B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            d17fe0a3f47be24a6453e9ef58c94641

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            6ab83620379fc69f80c0242105ddffd7d98d5d9d

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpAF0C.tmp.bat

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            160B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            dec4dc9352c55f35d60c8502d7e7ef89

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            98e192ca4370a52c910767cb18850034a3bb7960

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            631d9902ef58b34dfc4e50d8495c30268a97f00b19c74ede21ad63d4d472f341

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            ff22c9b6d1ce96971c3f334a379217ea8eb56325eaca49b2748ba7d3841f2add2a65a652aa299c65cdffb17e587b400e053a237d57b8680b3ffe7b8524b67437

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpBAB5.tmp.bat

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            160B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            d9063f7b5cb24a65d8651070dfa87052

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            de8bc79593d42eba95168030a5a51156e4d36ead

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            46fc2ee79f94d267cbb9d6cae55394d8f78d05c8fec3e2f49f19ae6debd6e496

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            07539b4ffcd21d4a8cb4f7c80851c0471ec6c755d5586457dd6b6df9b4e2a54282b0eb7c90125b41f1cdf36f9fac77270024aebae1138d62a8b8e24e42c83934

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpC61F.tmp.bat

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            160B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            531d9851f396d923d1f880108dc8df5a

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            d84686b272e66d188f424fdbd3bf07b9bff4db89

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            f66098796c469e58b9b89e894c67e363561ae5a5b0dffbe5b2ff31c12c2c66d2

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            db3316a4763a5ad93717854301e1ad7b2da2c8457bc2bf4954fce2cbc5d319c696a66c896e90c7118865b98bb9c7dee560c4bbd7d951b76372ac6438706872eb

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpCF37.tmp.bat

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            160B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            bdd43de5046eb679530e0458792621e1

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            2220b2d85231aba5c8cae6d578c1c85370c56e91

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            74b974b4e980ad96a6e2b4b1ef41baee8529e546997f34196e5ef8be5f558599

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            af957560b687bdeafdb5b1a6f868d3b6e39667e585db67344cee57a0ec3650c386e00382965d0fbc68eda8f7186b4200f5851044a66b7edb46da16d5a78936ab

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Local\Temp\tmpD745.tmp.bat

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            160B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            3c8f5c865e5f9d3d4219cb37d1315303

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            e478652dcd4311c3fc95600ebcdfee687ea4e70a

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            8590eebc0e1900fd079c3826fd2d7c5838d790959d783942e7a6b19a5957d865

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            a0c2513f1ebb9725707ad45fc9ea2e8f872d903d8553702528f299ef5e04f83a82dbce03cf48df0476bf71b2f73d968f577b07b843d9131de5524cc279db6be9

                                                                                                                                                                                                          • C:\Users\Admin\AppData\Roaming\MyData\DataLogs.conf

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            8B

                                                                                                                                                                                                            MD5

                                                                                                                                                                                                            cf759e4c5f14fe3eec41b87ed756cea8

                                                                                                                                                                                                            SHA1

                                                                                                                                                                                                            c27c796bb3c2fac929359563676f4ba1ffada1f5

                                                                                                                                                                                                            SHA256

                                                                                                                                                                                                            c9f9f193409217f73cc976ad078c6f8bf65d3aabcf5fad3e5a47536d47aa6761

                                                                                                                                                                                                            SHA512

                                                                                                                                                                                                            c7f832aee13a5eb36d145f35d4464374a9e12fa2017f3c2257442d67483b35a55eccae7f7729243350125b37033e075efbc2303839fd86b81b9b4dca3626953b

                                                                                                                                                                                                          • memory/412-333-0x000001BEC1680000-0x000001BEC189C000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                          • memory/680-311-0x000001B1ED3E0000-0x000001B1ED5FC000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                          • memory/684-1-0x0000000000630000-0x0000000000CFE000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            6.8MB

                                                                                                                                                                                                          • memory/684-0-0x00007FFDB43D3000-0x00007FFDB43D5000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            8KB

                                                                                                                                                                                                          • memory/684-2-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                          • memory/684-18-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                          • memory/1108-240-0x000000001B860000-0x000000001B87E000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            120KB

                                                                                                                                                                                                          • memory/1108-565-0x000000001BF30000-0x000000001BF96000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            408KB

                                                                                                                                                                                                          • memory/1108-238-0x000000001CB30000-0x000000001CBA6000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            472KB

                                                                                                                                                                                                          • memory/1108-239-0x000000001B6A0000-0x000000001B6B0000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            64KB

                                                                                                                                                                                                          • memory/1956-354-0x0000025CC8300000-0x0000025CC851C000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                          • memory/2040-16-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                          • memory/2040-17-0x0000000000B10000-0x0000000000B3E000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            184KB

                                                                                                                                                                                                          • memory/2040-47-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                          • memory/2368-23-0x0000028E30DB0000-0x0000028E30DD2000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            136KB

                                                                                                                                                                                                          • memory/3068-322-0x00000286B92B0000-0x00000286B94CC000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            2.1MB

                                                                                                                                                                                                          • memory/3420-279-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-287-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-290-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-289-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-288-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-286-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-284-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-280-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-285-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/3420-278-0x000001CEB1EF0000-0x000001CEB1EF1000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            4KB

                                                                                                                                                                                                          • memory/4008-22-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                          • memory/4008-19-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                          • memory/4008-15-0x00007FFDB43D0000-0x00007FFDB4E91000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            10.8MB

                                                                                                                                                                                                          • memory/5064-48-0x0000000000E60000-0x0000000000E8A000-memory.dmp

                                                                                                                                                                                                            Filesize

                                                                                                                                                                                                            168KB