njrat | ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e

Analysis

max time kernel
600s
max time network
599s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
30-10-2024 13:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

New Client.exe
Size

65KB
MD5

1bcb0ce08d34ba620819df0268e04011
SHA1

296765a47aa584a24bf66ddc9e67356e3203fac8
SHA256

ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e
SHA512

f3409246d7cf16d9902d3420f6e5048e87859484e85a25eebc4559ddc6d26e9b40843b78b3a056c24e1bd9efc13d609f1a9ef37387789cb6994b84c7e4bd0145
SSDEEP

1536:MKqK4Tm4BoN36t4QviFw1AjHkBnvAffLteF3nLrB9z3nIaF9bXS9vM:MKqK4C4BoN36t4QviFC8EBnYfWl9zYab

Score

10^/10

njrat hacked discovery persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

Platinum

Botnet

HacKed

127.0.0.1:36811

Mutex

svhost.exe

Attributes

reg_key
svhost.exe
splitter
|Ghost|

Signatures

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

Client.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Userinit = "C:\\Windows\\System32\\userinit.exe,C:\\Program Files\\discord.exe"	Client.exe

Njrat family
njrat
njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat
Event Triggered Execution: AppInit DLLs 1 TTPs
Adversaries may establish persistence and/or elevate privileges by executing malicious content triggered by AppInit DLLs loaded into processes.
persistence privilege_escalation

AppInit DLLs
T1546.010
Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

2992 cmd.exe
Drops startup file 1 IoCs

Processes:

svhost.exe

description ioc process

File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe svhost.exe

pid	process
2992	cmd.exe

description	ioc	process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe	svhost.exe

Executes dropped EXE 11 IoCs

Processes:

svhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exesvhost.exeClient.exesvhost.exesvhost.exesvhost.exe

pid	process
2224	svhost.exe
1524	svhost.exe
2248	svhost.exe
2976	svhost.exe
2108	svhost.exe
776	svhost.exe
2248	svhost.exe
2976	Client.exe
2492	svhost.exe
3036	svhost.exe
2604	svhost.exe

Loads dropped DLL 2 IoCs

Processes:

New Client.exesvhost.exe

pid process

1648 New Client.exe
2224 svhost.exe

pid	process
1648	New Client.exe
2224	svhost.exe

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

svhost.exeClient.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Steam = "C:\\Users\\Admin\\Documents\\SU.exe"	Client.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\svhost.exe = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\svhost.exe\" .."	svhost.exe

Drops file in Program Files directory 2 IoCs

Processes:

Client.exe

description ioc process

File created C:\Program Files\discord.exe Client.exe
File opened for modification C:\Program Files\discord.exe Client.exe
Drops file in Windows directory 1 IoCs

Processes:

Client.exe

description ioc process

File created C:\Windows\xdwd.dll Client.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

description	ioc	process
File created	C:\Program Files\discord.exe	Client.exe
File opened for modification	C:\Program Files\discord.exe	Client.exe

description	ioc	process
File created	C:\Windows\xdwd.dll	Client.exe

System Location Discovery: System Language Discovery 1 TTPs 46 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

svhost.exeschtasks.exechoice.exeschtasks.exeschtasks.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exetaskkill.exeschtasks.exeschtasks.exeschtasks.exesvhost.exeschtasks.exeschtasks.exesvhost.exesvhost.exeschtasks.exetaskkill.exeschtasks.exesvhost.exeschtasks.exeschtasks.execmd.exeschtasks.exeschtasks.exetaskkill.exesvhost.exesvhost.exesvhost.exesvhost.exetaskkill.exetaskkill.exeschtasks.exesvhost.exeNew Client.exetaskkill.exeschtasks.exetaskkill.exeschtasks.exetaskkill.exeschtasks.exetaskkill.exeschtasks.exetaskkill.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	choice.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svhost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	New Client.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe

Kills process with taskkill 11 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
2088	taskkill.exe
764	taskkill.exe
2864	taskkill.exe
2404	taskkill.exe
2704	taskkill.exe
2036	taskkill.exe
3028	taskkill.exe
2560	taskkill.exe
1344	taskkill.exe
1852	taskkill.exe
1524	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
2812	schtasks.exe
1648	schtasks.exe
3020	schtasks.exe
2632	schtasks.exe
1516	schtasks.exe
764	schtasks.exe
2248	schtasks.exe
1716	schtasks.exe
1628	schtasks.exe
2928	schtasks.exe
1600	schtasks.exe
1692	schtasks.exe
1716	schtasks.exe
2076	schtasks.exe
1308	schtasks.exe
1960	schtasks.exe
2340	schtasks.exe
2860	schtasks.exe
1016	schtasks.exe
2988	schtasks.exe
2928	schtasks.exe
568	schtasks.exe
2188	schtasks.exe
2652	schtasks.exe
768	schtasks.exe
1236	schtasks.exe
1016	schtasks.exe
1564	schtasks.exe
1596	schtasks.exe
1740	schtasks.exe
2600	schtasks.exe
2896	schtasks.exe
2996	schtasks.exe
2220	schtasks.exe
896	schtasks.exe
2600	schtasks.exe
2880	schtasks.exe
2916	schtasks.exe
1812	schtasks.exe
1928	schtasks.exe
2448	schtasks.exe
1852	schtasks.exe
2392	schtasks.exe
2508	schtasks.exe
2700	schtasks.exe
992	schtasks.exe
1696	schtasks.exe
2408	schtasks.exe
2248	schtasks.exe
2924	schtasks.exe
2348	schtasks.exe
2560	schtasks.exe
2108	schtasks.exe
920	schtasks.exe
2116	schtasks.exe
1980	schtasks.exe
636	schtasks.exe
2748	schtasks.exe
2416	schtasks.exe
2536	schtasks.exe
1632	schtasks.exe
2552	schtasks.exe
2368	schtasks.exe
2028	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

schtasks.exeClient.exeCMD.exeschtasks.exeCMD.exeschtasks.exeWmiApSrv.exeCMD.exeschtasks.exeCMD.exeschtasks.exeCMD.exeCMD.exeschtasks.exeschtasks.exe

pid	process
2560	schtasks.exe
2976	Client.exe
576	CMD.exe
1092	schtasks.exe
696	CMD.exe
2976	Client.exe
928	schtasks.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
1632	WmiApSrv.exe
1272	CMD.exe
2348	schtasks.exe
964	CMD.exe
1016	schtasks.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
1356	CMD.exe
2248	CMD.exe
1816	schtasks.exe
920	schtasks.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe
2976	Client.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

svhost.exe

description	pid	process
Token: SeDebugPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe
Token: SeIncBasePriorityPrivilege	2224	svhost.exe
Token: 33	2224	svhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

New Client.execmd.exesvhost.exetaskeng.exe

description	pid	process	target process
PID 1648 wrote to memory of 2224	1648	New Client.exe	svhost.exe
PID 1648 wrote to memory of 2224	1648	New Client.exe	svhost.exe
PID 1648 wrote to memory of 2224	1648	New Client.exe	svhost.exe
PID 1648 wrote to memory of 2224	1648	New Client.exe	svhost.exe
PID 1648 wrote to memory of 2992	1648	New Client.exe	cmd.exe
PID 1648 wrote to memory of 2992	1648	New Client.exe	cmd.exe
PID 1648 wrote to memory of 2992	1648	New Client.exe	cmd.exe
PID 1648 wrote to memory of 2992	1648	New Client.exe	cmd.exe
PID 2992 wrote to memory of 2740	2992	cmd.exe	choice.exe
PID 2992 wrote to memory of 2740	2992	cmd.exe	choice.exe
PID 2992 wrote to memory of 2740	2992	cmd.exe	choice.exe
PID 2992 wrote to memory of 2740	2992	cmd.exe	choice.exe
PID 2224 wrote to memory of 2404	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 2404	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 2404	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 2404	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 2648	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2648	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2648	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2648	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2860	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2860	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2860	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2860	2224	svhost.exe	schtasks.exe
PID 1652 wrote to memory of 1524	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 1524	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 1524	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 1524	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2248	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2248	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2248	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2248	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2976	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2976	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2976	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2976	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2108	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2108	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2108	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 2108	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 776	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 776	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 776	1652	taskeng.exe	svhost.exe
PID 1652 wrote to memory of 776	1652	taskeng.exe	svhost.exe
PID 2224 wrote to memory of 1524	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 1524	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 1524	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 1524	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 1912	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 1912	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 1912	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 1912	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 1268	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 1268	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 1268	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 1268	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2704	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 2704	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 2704	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 2704	2224	svhost.exe	taskkill.exe
PID 2224 wrote to memory of 2152	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2152	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2152	2224	svhost.exe	schtasks.exe
PID 2224 wrote to memory of 2152	2224	svhost.exe	schtasks.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\New Client.exe
"C:\Users\Admin\AppData\Local\Temp\New Client.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1648
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  "C:\Users\Admin\AppData\Local\Temp\svhost.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2404
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2648
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2860
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1524
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1268
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2704
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2152
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2220
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2536
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    PID:2976
  - - C:\Windows\system32\CMD.exe
      "CMD" /C SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Program Files\discord.exe" & exit
      4⤵
      PID:2156
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /CrEAte /F /sc OnLoGoN /rl HighEst /tn "Microsoft Publisher" /tr "C:\Program Files\discord.exe"
        5⤵
        
        PID:2728
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2316
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2676
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2840
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        Suspicious behavior: EnumeratesProcesses
        
        PID:2560
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:576
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1092
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:696
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:928
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1272
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:2348
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:964
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        Suspicious behavior: EnumeratesProcesses
        
        PID:1016
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:1356
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        Suspicious behavior: EnumeratesProcesses
        
        PID:920
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      Suspicious behavior: EnumeratesProcesses
      PID:2248
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Suspicious behavior: EnumeratesProcesses
        
        PID:1816
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1132
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2964
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2916
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1928
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:3040
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2260
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:3064
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:3008
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2996
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2560
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1516
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2180
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2920
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:352
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2348
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2928
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:1016
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2772
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:708
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2512
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:1552
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1008
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2700
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:3036
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:3032
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1696
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2004
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2896
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2304
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2448
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2872
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:888
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:880
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:896
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1100
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2784
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2180
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2244
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2104
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1632
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2548
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2940
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2408
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:1896
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2084
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2112
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2140
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2028
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:3036
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:764
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2016
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2616
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2728
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2060
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2636
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2604
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2980
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2812
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1716
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:696
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2312
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1668
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1208
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:1320
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1272
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1276
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2248
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2372
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2408
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2096
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:992
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2956
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2440
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:568
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2672
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2660
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1608
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1648
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2732
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:3000
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:948
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2020
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1440
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2600
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1160
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:852
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1664
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1236
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2408
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1660
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1452
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1852
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1500
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1736
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1864
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:3020
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1964
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1740
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1060
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2304
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2568
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2260
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2832
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:896
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1960
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2264
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1788
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2116
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2900
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1016
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2056
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2188
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2328
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1680
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2084
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2880
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2444
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2924
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2004
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1692
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1300
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2416
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2556
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2696
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:3004
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2716
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1980
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1716
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2876
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1044
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1664
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2652
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1816
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2632
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2640
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2096
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2916
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2476
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3020
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2896
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1740
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2660
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2012
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:872
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1948
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1560
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:928
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1392
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:576
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:1208
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:3012
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1940
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1276
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1236
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1156
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2848
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:572
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2632
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2140
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1064
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2144
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:548
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1964
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2896
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1708
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2076
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2576
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2464
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2432
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1716
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2744
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1408
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2460
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1812
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2772
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:1292
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2056
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2848
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1376
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2700
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1592
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:2760
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:3040
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1308
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1672
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2824
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:2748
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2464
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2552
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1560
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1960
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2876
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2600
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:672
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2348
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2628
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2340
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1304
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:1056
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:1748
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2408
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        
        PID:932
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:876
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        
        PID:3040
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:1740
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2896
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:2820
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2748
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2672
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2996
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST & exit
      4⤵
      PID:776
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo -1 /tn "Windows Update" /tr "C:\Program Files\discord.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1628
  - - C:\Windows\system32\CMD.exe
      "CMD" /c SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST & exit
      4⤵
      PID:2320
    - - C:\Windows\system32\schtasks.exe
        
        SchTaSKs /create /f /sc minute /mo 5 /tn "Windows Update " /tr "C:\Users\Admin\Documents\SU.exe" /RL HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2368
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2036
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1100
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2456
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:3028
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1452
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1600
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2560
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3056
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2588
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1344
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:636
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:764
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1696
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2392
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:1852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    PID:992
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f im Wireshark.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    PID:2864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /delete /tn "MicrosoftEdgeUpdateTaskMachine" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1392
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "MicrosoftEdgeUpdateTaskMachine" /tr C:\Users\Admin\AppData\Local\Temp\svhost.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:1980
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /C choice /C Y /N /D Y /T 5 & Del "C:\Users\Admin\AppData\Local\Temp\New Client.exe"
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\SysWOW64\choice.exe
    choice /C Y /N /D Y /T 5
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2740

C:\Windows\system32\taskeng.exe
taskeng.exe {6A350E2C-64E4-41E7-A788-21261A817993} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1652
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1524
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2976
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2108
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:776
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2248
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2492
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3036
- C:\Users\Admin\AppData\Local\Temp\svhost.exe
  C:\Users\Admin\AppData\Local\Temp\svhost.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:2604

C:\Windows\system32\wbem\WmiApSrv.exe
C:\Windows\system32\wbem\WmiApSrv.exe
1⤵
- Suspicious behavior: EnumeratesProcesses
PID:1632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Event Triggered Execution

T1546

AppInit DLLs

T1546.010

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files\discord.exe

Filesize
737.5MB

MD5
916a6a7f7b3b7b34fb17caa458c388a8

SHA1
7d973e78d6cd7ea53eac125c4222fb28e9d9bae2

SHA256
31de2443254fd89582f194b44efb341feccdcbc53b4ff16ec9809100c85c3fc4

SHA512
8df83d6526ed0bf5f60424442db5cec7dbe8ae145968d7696ce328f210518e2c4337b48d050aa699a9496001a13f7652864ce137dc6895b0c9b8a2c38b48584e

Download Submit
C:\Users\Admin\AppData\Local\Temp\svhost.exe

Filesize
65KB

MD5
1bcb0ce08d34ba620819df0268e04011

SHA1
296765a47aa584a24bf66ddc9e67356e3203fac8

SHA256
ba67f398fb2c5f91c1c227725fec68eba38a9f6c81a425450baf1b94037fe77e

SHA512
f3409246d7cf16d9902d3420f6e5048e87859484e85a25eebc4559ddc6d26e9b40843b78b3a056c24e1bd9efc13d609f1a9ef37387789cb6994b84c7e4bd0145

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Client.exe

Filesize
558KB

MD5
64d37a6853cdcff6a20e6dca51d7e1bd

SHA1
d04853d30c2e34a984ded4d86262279e09f461a0

SHA256
12958a9be57b2152337892bdfbd8ff878eb02e235f492de5237e0ffc359ff38a

SHA512
b73c5350ea3036ee322d055da68e923eeb248cb8e7b1a6744be16ebafc86a0e3d3a53a45047d3cc01ba458084b24c2c70b33d0d7bb3de4cb5c23648b151c3f6b

Download Submit
C:\Windows\xdwd.dll

Filesize
136KB

MD5
16e5a492c9c6ae34c59683be9c51fa31

SHA1
97031b41f5c56f371c28ae0d62a2df7d585adaba

SHA256
35c8d022e1d917f1aabdceae98097ccc072161b302f84c768ca63e4b32ac2b66

SHA512
20fd369172ef5e3e2fde388666b42e8fe5f0c2bfa338c0345f45e98af6561a249ba3ecc48c3f16efcc73f02ecb67b3ddb1e2e8f0e77d18fa00ac34e6379e50b6

Download Submit
memory/352-276-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/576-92-0x000007FEF7AA0000-0x000007FEF7AC2000-memory.dmp

Filesize
136KB

Download
memory/696-94-0x000007FEF7AA0000-0x000007FEF7AC2000-memory.dmp

Filesize
136KB

Download
memory/708-305-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/880-426-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/888-420-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/896-425-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/920-152-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/928-93-0x000007FEF7AA0000-0x000007FEF7AC2000-memory.dmp

Filesize
136KB

Download
memory/964-125-0x000007FEF1A00000-0x000007FEF1A22000-memory.dmp

Filesize
136KB

Download
memory/1008-336-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/1016-124-0x000007FEF1A00000-0x000007FEF1A22000-memory.dmp

Filesize
136KB

Download
memory/1016-303-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/1092-91-0x000007FEF7AA0000-0x000007FEF7AC2000-memory.dmp

Filesize
136KB

Download
memory/1100-451-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/1132-175-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/1272-115-0x000007FEF1A00000-0x000007FEF1A22000-memory.dmp

Filesize
136KB

Download
memory/1356-153-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/1516-245-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/1552-333-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/1564-361-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/1632-480-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/1632-123-0x000007FEF1A00000-0x000007FEF1A22000-memory.dmp

Filesize
136KB

Download
memory/1648-0-0x0000000074711000-0x0000000074712000-memory.dmp

Filesize
4KB

Download
memory/1648-2-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-13-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1648-1-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/1696-365-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/1816-154-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/1896-511-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/1928-185-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2004-387-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2028-537-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2084-517-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2104-481-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2108-206-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2112-516-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2140-540-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2180-273-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2180-456-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2224-15-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-14-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2224-12-0x0000000074710000-0x0000000074CBB000-memory.dmp

Filesize
5.7MB

Download
memory/2244-455-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2248-155-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2260-216-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2304-396-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2348-275-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2348-113-0x000007FEF1A00000-0x000007FEF1A22000-memory.dmp

Filesize
136KB

Download
memory/2408-512-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2448-395-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2512-334-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2548-486-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2560-246-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2560-82-0x000007FEF7AA0000-0x000007FEF7AC2000-memory.dmp

Filesize
136KB

Download
memory/2700-335-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2772-306-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2784-450-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2872-421-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2896-386-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2916-186-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2920-271-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2928-304-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2940-485-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/2964-174-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/2976-31-0x0000000001260000-0x00000000012F2000-memory.dmp

Filesize
584KB

Download
memory/2976-1239-0x00000000004E0000-0x00000000004EC000-memory.dmp

Filesize
48KB

Download
memory/2996-243-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/3008-244-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/3032-366-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download
memory/3036-364-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/3040-207-0x000007FEF6900000-0x000007FEF6922000-memory.dmp

Filesize
136KB

Download
memory/3064-215-0x000007FEF6A90000-0x000007FEF6AB2000-memory.dmp

Filesize
136KB

Download