quasar | 4c6183029dcf2e4d604c473c2dfb4f72037b6a8f13d9183b0842fd201e422d7a

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Client.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found
Key value queried	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000\Control Panel\International\Geo\Nation	Process not Found

Executes dropped EXE 64 IoCs

pid	Process
4588	Client(1).exe
5040	Client(1).exe
2524	Client(1).exe
5028	Client(1).exe
4608	Client(1).exe
4468	Client(1).exe
2372	Client(1).exe
1072	Client(1).exe
2592	Client(1).exe
2076	Client(1).exe
3468	Client(1).exe
4780	Client(1).exe
4988	Client(1).exe
4740	Client(1).exe
568	Client(1).exe
3124	Client(1).exe
2360	Client(1).exe
2848	Client(1).exe
5008	Client-built.exe
4008	Client.exe
3920	Client-built.exe
4944	Client-built.exe
2312	Client-built.exe
3868	Client.exe
1688	Client-built.exe
2096	Client-built.exe
4956	Client.exe
2840	Client.exe
1072	Client.exe
4692	Client.exe
3668	Client.exe
4304	Client.exe
4276	Client.exe
4080	Client-built.exe
4316	Client.exe
1612	Client.exe
3648	Client.exe
3848	Client.exe
1260	Client.exe
2308	Client.exe
3104	Client.exe
4764	Client.exe
5028	Client.exe
2472	Client.exe
3492	Client-built.exe
2540	Client-built.exe
3124	Client.exe
3256	Client.exe
4612	Client(1).exe
1704	Client.exe
2804	Client.exe
4708	Client.exe
1464	Client.exe
4960	Client.exe
4752	Client.exe
648	Client.exe
4996	Client.exe
3700	Client.exe
3860	Client.exe
1696	Client.exe
1256	Client.exe
1528	Client.exe
1772	Client.exe
2952	Client.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SystemTemp	chrome.exe

Subvert Trust Controls: Mark-of-the-Web Bypass 1 TTPs 2 IoCs

When files are downloaded from the Internet, they are tagged with a hidden NTFS Alternate Data Stream (ADS) named Zone.Identifier with a specific value known as the MOTW.

defense_evasion

SIP and Trust Provider Hijacking

T1553.003

description	ioc	Process
File created	C:\Users\Admin\Downloads\Client(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	firefox.exe

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 64 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
624	PING.EXE
2976	PING.EXE
4420	PING.EXE
792	PING.EXE
696	PING.EXE
4424	PING.EXE
2644	PING.EXE
3288	PING.EXE
3368	PING.EXE
3048	PING.EXE
2520	Process not Found
5540	Process not Found
4268	PING.EXE
3372	PING.EXE
524	PING.EXE
1840	PING.EXE
2208	PING.EXE
4856	PING.EXE
5136	Process not Found
1860	PING.EXE
1708	PING.EXE
5088	PING.EXE
4272	PING.EXE
4500	PING.EXE
5180	Process not Found
1948	PING.EXE
4308	PING.EXE
2892	PING.EXE
1364	PING.EXE
4040	Process not Found
1800	PING.EXE
1164	PING.EXE
2572	Process not Found
3560	PING.EXE
1104	PING.EXE
2152	Process not Found
5948	Process not Found
1272	PING.EXE
3924	PING.EXE
568	Process not Found
5876	Process not Found
1556	PING.EXE
5040	PING.EXE
3476	PING.EXE
4224	Process not Found
4952	Process not Found
5064	Process not Found
4484	Process not Found
4428	PING.EXE
4516	Process not Found
2340	PING.EXE
4292	PING.EXE
1780	PING.EXE
2520	Process not Found
2164	PING.EXE
1184	PING.EXE
2520	PING.EXE
1036	PING.EXE
2444	PING.EXE
980	PING.EXE
472	PING.EXE
1012	PING.EXE
3000	PING.EXE
4592	PING.EXE

Checks processor information in registry 2 TTPs 24 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier	firefox.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	firefox.exe

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

Command and Scripting Interpreter

T1059

pid	Process
1076	NETSTAT.EXE
4132	NETSTAT.EXE
4940	NETSTAT.EXE
2496	NETSTAT.EXE
3772	ipconfig.exe

Modifies data under HKEY_USERS 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	firefox.exe
Key created	\REGISTRY\USER\S-1-5-21-2062871678-1047416116-518495306-1000_Classes\Local Settings	firefox.exe

NTFS ADS 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\Downloads\Client(1).exe:Zone.Identifier	firefox.exe
File created	C:\Users\Admin\Downloads\Client-built.exe:Zone.Identifier	firefox.exe

Runs ping.exe 1 TTPs 64 IoCs

Remote System Discovery

T1018

pid	Process
3000	PING.EXE
3344	PING.EXE
3300	PING.EXE
1956	Process not Found
4040	Process not Found
3924	PING.EXE
472	PING.EXE
4868	PING.EXE
4800	PING.EXE
696	PING.EXE
2236	PING.EXE
3984	PING.EXE
1868	Process not Found
1076	PING.EXE
4308	PING.EXE
2532	PING.EXE
2228	Process not Found
1420	Process not Found
4952	PING.EXE
4500	PING.EXE
3820	PING.EXE
1184	PING.EXE
2208	PING.EXE
1012	PING.EXE
3716	Process not Found
4760	Process not Found
2228	PING.EXE
3984	Process not Found
1168	Process not Found
3712	Process not Found
1284	PING.EXE
3288	PING.EXE
1184	PING.EXE
1532	PING.EXE
3560	PING.EXE
1764	PING.EXE
2560	PING.EXE
5136	Process not Found
1344	PING.EXE
328	PING.EXE
1012	Process not Found
956	Process not Found
3372	PING.EXE
3548	PING.EXE
2560	PING.EXE
4516	Process not Found
788	PING.EXE
900	PING.EXE
4460	PING.EXE
2056	Process not Found
1912	PING.EXE
624	PING.EXE
2644	PING.EXE
1420	Process not Found
3920	PING.EXE
3544	PING.EXE
1604	PING.EXE
5908	Process not Found
4516	Process not Found
2816	PING.EXE
4424	PING.EXE
1840	PING.EXE
3368	PING.EXE
4952	Process not Found

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

pid	Process
2892	schtasks.exe
1500	schtasks.exe
860	schtasks.exe
636	schtasks.exe
3628	schtasks.exe
1488	schtasks.exe
1104	schtasks.exe
3680	schtasks.exe
2560	schtasks.exe
5344	Process not Found
1012	schtasks.exe
1168	Process not Found
6032	Process not Found
1448	schtasks.exe
2536	schtasks.exe
4600	schtasks.exe
2732	schtasks.exe
1168	Process not Found
3644	schtasks.exe
3196	schtasks.exe
1364	Process not Found
2276	schtasks.exe
3948	schtasks.exe
4704	Process not Found
5564	Process not Found
3664	schtasks.exe
3868	schtasks.exe
2680	schtasks.exe
1420	Process not Found
4844	schtasks.exe
4800	Process not Found
2732	Process not Found
3436	schtasks.exe
2112	schtasks.exe
1012	schtasks.exe
2424	schtasks.exe
3716	Process not Found
2420	schtasks.exe
2272	schtasks.exe
3312	schtasks.exe
3084	schtasks.exe
3088	schtasks.exe
4288	schtasks.exe
3116	schtasks.exe
1512	schtasks.exe
2208	Process not Found
1956	Process not Found
2320	schtasks.exe
3792	schtasks.exe
1248	schtasks.exe
3700	schtasks.exe
1304	schtasks.exe
1184	schtasks.exe
4728	schtasks.exe
4840	Process not Found
6140	Process not Found
4344	schtasks.exe
1780	Process not Found
4220	Process not Found
3448	schtasks.exe
1748	schtasks.exe
3752	Process not Found
1912	schtasks.exe
1368	schtasks.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
4944	Client-built.exe
4944	Client-built.exe
2096	Client-built.exe
2096	Client-built.exe
2540	Client-built.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe
Token: SeShutdownPrivilege	408	chrome.exe
Token: SeCreatePagefilePrivilege	408	chrome.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe

Suspicious use of SendNotifyMessage 64 IoCs

pid	Process
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
408	chrome.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
3684	firefox.exe
3684	firefox.exe
4008	Client.exe
4956	Client.exe
1072	Client.exe
4692	Client.exe
3668	Client.exe
4304	Client.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
2804	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
3684	firefox.exe
2084	SecHealthUI.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 408 wrote to memory of 4280	408	chrome.exe	79
PID 408 wrote to memory of 4280	408	chrome.exe	79
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 2496	408	chrome.exe	80
PID 408 wrote to memory of 1016	408	chrome.exe	81
PID 408 wrote to memory of 1016	408	chrome.exe	81
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82
PID 408 wrote to memory of 4960	408	chrome.exe	82

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument C:\Users\Admin\AppData\Local\Temp\TwoOA1.html
1⤵
- Drops file in Windows directory
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x21c,0x220,0x224,0x1f8,0x228,0x7ff9ca09cc40,0x7ff9ca09cc4c,0x7ff9ca09cc58
  2⤵
  PID:4280
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1860,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=1856 /prefetch:2
  2⤵
  PID:2496
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=2168,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2176 /prefetch:3
  2⤵
  PID:1016
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2248,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=2460 /prefetch:8
  2⤵
  PID:4960
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3120,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3156 /prefetch:1
  2⤵
  PID:4344
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3136,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:4480
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4100,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=4700 /prefetch:8
  2⤵
  PID:3116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4472,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3848 /prefetch:1
  2⤵
  PID:4880
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=2276,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3124 /prefetch:1
  2⤵
  PID:2848
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5136,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=3196 /prefetch:1
  2⤵
  PID:1036
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3180,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5256 /prefetch:8
  2⤵
  PID:5108
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --no-appcompat-clear --field-trial-handle=3176,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5280 /prefetch:8
  2⤵
  PID:2396
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=5372,i,6415140214647064372,9813952208155425256,262144 --variations-seed-version=20241210-050121.637000 --mojo-platform-channel-handle=5580 /prefetch:8
  2⤵
  PID:2984

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4820

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:1712

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2808

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4080

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4828

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1700

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1464

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2532

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4364

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3372

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:756

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2272

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1252

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:252

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3832

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4868

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:968

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3900

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4960

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:640

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3400

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4472

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1864

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1528

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1900

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:992

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1368

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4512

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4648

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:5040

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2204

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2064

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:328

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1640

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4704

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2528

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2252

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3076

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3544

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4960

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:852

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3164

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2856

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2228

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2236

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3856

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2464

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1284

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4992

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4860

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:2888

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:1712

C:\Windows\system32\cmd.exe
"C:\Windows\system32\cmd.exe"
1⤵
PID:5036
- C:\Windows\system32\ipconfig.exe
  ipconfig
  2⤵
  - Gathers network information
  PID:3772
- C:\Windows\system32\NETSTAT.EXE
  netstat a
  2⤵
  - Gathers network information
  PID:1076
- C:\Windows\system32\NETSTAT.EXE
  netstat e
  2⤵
  - Gathers network information
  PID:4132
- C:\Windows\system32\NETSTAT.EXE
  netstat /e
  2⤵
  - Gathers network information
  PID:4940
- C:\Windows\system32\NETSTAT.EXE
  netstat /a
  2⤵
  - Gathers network information
  PID:2496

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2576

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:1884
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:2804
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2024 -parentBuildID 20240401114208 -prefsHandle 1952 -prefMapHandle 1944 -prefsLen 23839 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4898d6f1-1f45-4322-863c-b93328f2409e} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" gpu
    3⤵
    PID:3028
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2428 -parentBuildID 20240401114208 -prefsHandle 2420 -prefMapHandle 2416 -prefsLen 23717 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b9212c97-6fdf-4c29-9881-de4683abd3a9} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" socket
    3⤵
    - Checks processor information in registry
    PID:4200
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2968 -childID 1 -isForBrowser -prefsHandle 3184 -prefMapHandle 3196 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7d40cb15-5c27-4425-ab4f-ae4df80dcd11} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab
    3⤵
    PID:3000
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3924 -childID 2 -isForBrowser -prefsHandle 3904 -prefMapHandle 3900 -prefsLen 29091 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a9f1a3be-11af-4083-b9fd-1914e0cdcfce} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab
    3⤵
    PID:4848
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4648 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4604 -prefMapHandle 4516 -prefsLen 29091 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb953eb8-53bf-4460-9062-4f72c05ae9f9} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" utility
    3⤵
    - Checks processor information in registry
    PID:1300
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5332 -childID 3 -isForBrowser -prefsHandle 5316 -prefMapHandle 5312 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bf00138b-9bf1-4f23-b7e6-27b527814920} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab
    3⤵
    PID:1692
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5444 -childID 4 -isForBrowser -prefsHandle 5456 -prefMapHandle 5460 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {36bda38c-5b34-466a-92fe-8ac6ed01fe27} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab
    3⤵
    PID:740
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5768 -childID 5 -isForBrowser -prefsHandle 5688 -prefMapHandle 5692 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c977a708-ac37-4108-a70f-5f17dc1c0c25} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab
    3⤵
    PID:4248
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 6 -isForBrowser -prefsHandle 5088 -prefMapHandle 5728 -prefsLen 29279 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d9e351f5-7c06-4658-bff6-a3d3ba3973ac} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab
    3⤵
    PID:3308
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6524 -childID 7 -isForBrowser -prefsHandle 4200 -prefMapHandle 6380 -prefsLen 27211 -prefMapSize 244658 -jsInitHandle 1248 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87bf4224-fd39-4857-afb5-87fdb52d1965} 2804 "\\.\pipe\gecko-crash-server-pipe.2804" tab
    3⤵
    PID:4536

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:4588

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:5040

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:2524

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:5028

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:4608

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:4468

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:2372

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:1072

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:2592

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:2076

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:3468

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:4780

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:4988

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:4740

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:568

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:3124

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:2360

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:2848

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4620
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  - Subvert Trust Controls: Mark-of-the-Web Bypass
  - Checks processor information in registry
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3684
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=1940 -parentBuildID 20240401114208 -prefsHandle 1856 -prefMapHandle 1848 -prefsLen 24531 -prefMapSize 245025 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5036b001-b78f-4c96-bca5-c983c5811429} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" gpu
    3⤵
    PID:3256
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2284 -parentBuildID 20240401114208 -prefsHandle 2268 -prefMapHandle 2264 -prefsLen 24531 -prefMapSize 245025 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7b54f5e1-f5a6-4c7f-9707-23401574454e} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" socket
    3⤵
    - Checks processor information in registry
    PID:540
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2860 -childID 1 -isForBrowser -prefsHandle 3096 -prefMapHandle 3092 -prefsLen 25030 -prefMapSize 245025 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {87f31f56-03d4-4468-8707-298601e17515} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" tab
    3⤵
    PID:3288
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3700 -childID 2 -isForBrowser -prefsHandle 3716 -prefMapHandle 3712 -prefsLen 30263 -prefMapSize 245025 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {ce09733e-45e7-4837-830c-4cca6f0f098b} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" tab
    3⤵
    PID:4276
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4612 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4616 -prefMapHandle 4608 -prefsLen 30263 -prefMapSize 245025 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {1f857af3-b53d-485d-a83e-837775fd951f} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" utility
    3⤵
    - Checks processor information in registry
    PID:4344
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5336 -childID 3 -isForBrowser -prefsHandle 5376 -prefMapHandle 5372 -prefsLen 27782 -prefMapSize 245025 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {b4f4b6fd-d1e7-44b9-80c6-ded8da3c44d1} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" tab
    3⤵
    PID:2480
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5520 -childID 4 -isForBrowser -prefsHandle 5192 -prefMapHandle 5196 -prefsLen 27782 -prefMapSize 245025 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {adf246fb-c65c-4ebf-b11e-ab0ba59c5834} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" tab
    3⤵
    PID:2512
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5180 -childID 5 -isForBrowser -prefsHandle 5672 -prefMapHandle 5676 -prefsLen 27782 -prefMapSize 245025 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {bd2bbc1d-d248-4ba8-93a2-a974bf64e07f} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" tab
    3⤵
    PID:3184
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=6036 -childID 6 -isForBrowser -prefsHandle 5048 -prefMapHandle 6052 -prefsLen 27782 -prefMapSize 245025 -jsInitHandle 1340 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a3fc529c-a0ad-4aef-a39b-cfb1000c257c} 3684 "\\.\pipe\gecko-crash-server-pipe.3684" tab
    3⤵
    PID:4608

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:5008
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  PID:1440
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:4008
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:4728
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bLPL40Zuv9LW.bat" "
    3⤵
    PID:1252
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:1892
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      PID:5056
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:4692
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        
        PID:3436
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TL6CMEmhUrdI.bat" "
        5⤵
        
        PID:384
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:2864
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        
        PID:1884
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        
        PID:4036
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9RrgCZRJcV5W.bat" "
        7⤵
        
        PID:4752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4272
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        
        PID:3648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        
        PID:1288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yYisl1tIbKhC.bat" "
        9⤵
        
        PID:1764
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:4844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1948
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        
        PID:2308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        
        PID:3752
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\faUmdJ4DOp6r.bat" "
        11⤵
        
        PID:2536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:1244
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        
        PID:2980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:5028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        
        PID:2280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bwHsI5Fh5YBi.bat" "
        13⤵
        
        PID:1140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2480
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        
        PID:2084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Executes dropped EXE
        
        PID:3256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3664
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RQQ7iPzOpJfY.bat" "
        15⤵
        
        PID:2112
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:3172
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        
        PID:2804
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\KZwxF19c5MpM.bat" "
        17⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:1772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2340
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Executes dropped EXE
        
        PID:1464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        
        PID:2952
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jB4tMmiZvHc5.bat" "
        19⤵
        
        PID:1344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:1892
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        
        PID:4752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        
        PID:3916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\TZwb3iHOGmF0.bat" "
        21⤵
        
        PID:3320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:1620
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        
        PID:4996
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        
        PID:4368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mbbWEcKMDQLR.bat" "
        23⤵
        
        PID:2556
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:992
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        
        PID:3860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        
        PID:2700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dBcg1aeKNFp9.bat" "
        25⤵
        
        PID:1472
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4292
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        
        PID:1256
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        
        PID:4120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ktMdcowTN3D2.bat" "
        27⤵
        
        PID:2980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:3680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        
        PID:1468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        
        PID:4372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\JH2WgtggwxBo.bat" "
        29⤵
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1288
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        
        PID:4612
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        
        PID:2432
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dlXMdsf5P5Lj.bat" "
        31⤵
        
        PID:1276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:4632
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        
        PID:3800
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        33⤵
        
        PID:4052
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cTF5EUlbUEri.bat" "
        33⤵
        
        PID:4540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:4740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        
        PID:2708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        
        PID:4012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        35⤵
        
        PID:5008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\moFpQSzQCEav.bat" "
        35⤵
        
        PID:328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        
        PID:540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        37⤵
        
        PID:1764
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4WA8jVSXZq7m.bat" "
        37⤵
        
        PID:1744
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        Runs ping.exe
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        
        PID:1860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3628
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mFoKXfOzVJod.bat" "
        39⤵
        
        PID:3876
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:4220
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        40⤵
        
        PID:5008
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        41⤵
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\m0QcmpyM2JdL.bat" "
        41⤵
        
        PID:2728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:4972
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        42⤵
        
        PID:3744
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        43⤵
        
        PID:4464
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\SQJxtkeAg2YE.bat" "
        43⤵
        
        PID:4576
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:2776
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        44⤵
        Checks computer location settings
        
        PID:1976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        45⤵
        
        PID:384
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DFHU4isNlYIo.bat" "
        45⤵
        
        PID:3868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        46⤵
        Checks computer location settings
        
        PID:2660
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        47⤵
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xJvNGCeKSfuD.bat" "
        47⤵
        
        PID:2808
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        48⤵
        
        PID:912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        49⤵
        
        PID:2312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rKLReEqTXWkt.bat" "
        49⤵
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:2196
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        Runs ping.exe
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        50⤵
        Checks computer location settings
        
        PID:1156
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        51⤵
        
        PID:2516
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\adDvQtLt4Ow8.bat" "
        51⤵
        
        PID:1468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:3792
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        52⤵
        
        PID:4500
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ladnBLDNTVS9.bat" "
        53⤵
        
        PID:1440
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:4548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        
        PID:392
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        54⤵
        Checks computer location settings
        
        PID:4884
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        55⤵
        
        PID:3252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9Xs2yGh6DChd.bat" "
        55⤵
        
        PID:2196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:1416
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        56⤵
        
        PID:5068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        57⤵
        
        PID:1080
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\UZE1rLNpjkzj.bat" "
        57⤵
        
        PID:2964
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:3200
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        58⤵
        
        PID:3900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3436
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\U5St3fQmO5au.bat" "
        59⤵
        
        PID:2200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:5088
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        60⤵
        
        PID:2312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        61⤵
        
        PID:3888
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vSrwZTC2QKow.bat" "
        61⤵
        
        PID:3948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:4640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        62⤵
        
        PID:1728
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        63⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3792
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gUZ6QPrl68Gk.bat" "
        63⤵
        
        PID:3984
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:4592
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        64⤵
        
        PID:4796
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        65⤵
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5t5FvgcMrILO.bat" "
        65⤵
        
        PID:3476
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        66⤵
        
        PID:400
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        67⤵
        
        PID:1244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7H1g29BzPkhV.bat" "
        67⤵
        
        PID:4640
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:3252
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        
        PID:4176
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        68⤵
        Checks computer location settings
        
        PID:4348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        69⤵
        
        PID:4388
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\63g539CWlLDo.bat" "
        69⤵
        
        PID:4864
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:2732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        70⤵
        
        PID:1344
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        71⤵
        
        PID:3908
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\g6QNGgRnQEnh.bat" "
        71⤵
        
        PID:1284
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:2572
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        
        PID:984
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        72⤵
        
        PID:2088
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        73⤵
        
        PID:3008
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dEsmOxFQJngL.bat" "
        73⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:1448
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        74⤵
        
        PID:2416
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ad4QIJ0XkSLz.bat" "
        75⤵
        
        PID:568
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:3748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        
        PID:3044
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        76⤵
        Checks computer location settings
        
        PID:1892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        77⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\AEmtX65K6WkC.bat" "
        77⤵
        
        PID:3436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:4540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        
        PID:4084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        78⤵
        
        PID:1180
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        79⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1248
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Jkn0bavCIIAW.bat" "
        79⤵
        
        PID:980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:2164
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        Runs ping.exe
        
        PID:900
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        80⤵
        Checks computer location settings
        
        PID:1736
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        81⤵
        
        PID:2984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LNjLB9WvMUaR.bat" "
        81⤵
        
        PID:3372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:5080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2892
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        82⤵
        
        PID:756
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1304
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rxYrzpwfE4o1.bat" "
        83⤵
        
        PID:1540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:3956
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        84⤵
        
        PID:3888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1512
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HcpgFWniRJHx.bat" "
        85⤵
        
        PID:4048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:4576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        Runs ping.exe
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        86⤵
        
        PID:1080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        87⤵
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9ToFmF71c9N7.bat" "
        87⤵
        
        PID:3540
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:2536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        
        PID:4656
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        88⤵
        
        PID:2504
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        89⤵
        
        PID:740
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\uKwyLacozsQe.bat" "
        89⤵
        
        PID:3548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:3308
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4428
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        90⤵
        
        PID:3724
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        91⤵
        
        PID:2644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sfdBCL3R7eIj.bat" "
        91⤵
        
        PID:2496
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:4784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        92⤵
        
        PID:2216
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        93⤵
        
        PID:4940
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YfVYqtgw4Ni1.bat" "
        93⤵
        
        PID:3084
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:3780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        Runs ping.exe
        
        PID:3344
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        94⤵
        Checks computer location settings
        
        PID:3588
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        95⤵
        
        PID:928
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0GzSriiT3xoK.bat" "
        95⤵
        
        PID:4844
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:4360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        
        PID:4220
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        96⤵
        
        PID:4544
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2276
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DMMA7yfds3dS.bat" "
        97⤵
        
        PID:792
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        98⤵
        
        PID:5080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        99⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gXlF8yJ1LrMZ.bat" "
        99⤵
        
        PID:2488
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:1112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        100⤵
        
        PID:3504
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        101⤵
        
        PID:3956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BbeaHyqwxBRD.bat" "
        101⤵
        
        PID:1604
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:2224
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        102⤵
        
        PID:476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        103⤵
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vxkibT9kInR4.bat" "
        103⤵
        
        PID:1748
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:3476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        104⤵
        
        PID:2284
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        105⤵
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hyhr5DrA63m2.bat" "
        105⤵
        
        PID:3200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:3184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        
        PID:2488
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        106⤵
        
        PID:2204
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        107⤵
        
        PID:3544
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\cTQKmEaoagPB.bat" "
        107⤵
        
        PID:3024
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:3976
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        Runs ping.exe
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        108⤵
        
        PID:888
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        109⤵
        
        PID:5032
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8IvDgnqQ4Kvw.bat" "
        109⤵
        
        PID:1616
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:3780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        
        PID:4528
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        110⤵
        Checks computer location settings
        
        PID:2240
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        111⤵
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\W7DyERTWbuE0.bat" "
        111⤵
        
        PID:3044
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:3500
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:472
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        112⤵
        Checks computer location settings
        
        PID:3792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        113⤵
        
        PID:3832
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\gqXULBxCi2HO.bat" "
        113⤵
        
        PID:1532
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:1100
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        114⤵
        
        PID:2196
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        115⤵
        
        PID:3772
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ATE7SV3oju4Y.bat" "
        115⤵
        
        PID:4940
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:3816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        116⤵
        
        PID:3308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        117⤵
        
        PID:4564
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7hgUB4QtHADG.bat" "
        117⤵
        
        PID:3200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:5024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        118⤵
        Checks computer location settings
        
        PID:1228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        119⤵
        
        PID:1660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HLLpQzrYz1Bb.bat" "
        119⤵
        
        PID:3196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:3040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        
        PID:4840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        120⤵
        Checks computer location settings
        
        PID:4428
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        121⤵
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pnhwb7EUK0tP.bat" "
        121⤵
        
        PID:4220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:472
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        Runs ping.exe
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        122⤵
        
        PID:4576
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        123⤵
        
        PID:5040
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\MuB7DZVzrZfr.bat" "
        123⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:3540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        124⤵
        
        PID:4864
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        125⤵
        
        PID:4660
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8TCcEUfta8Kj.bat" "
        125⤵
        
        PID:4420
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:3044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        126⤵
        Checks computer location settings
        
        PID:1444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        127⤵
        
        PID:1780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Cs4A31mYO5iM.bat" "
        127⤵
        
        PID:2168
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:1364
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        
        PID:3300
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        128⤵
        
        PID:1068
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        129⤵
        
        PID:4656
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nev3SeVhY8WK.bat" "
        129⤵
        
        PID:1448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:4536
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2520
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        130⤵
        
        PID:4940
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        131⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4600
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4gOebHd53LQH.bat" "
        131⤵
        
        PID:3780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:3476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        132⤵
        
        PID:4496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        133⤵
        
        PID:4936
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6DXKmQDXqxAZ.bat" "
        133⤵
        
        PID:4468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:2372
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        Runs ping.exe
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        134⤵
        
        PID:2496
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        135⤵
        
        PID:3372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9h64Y8EYOP9T.bat" "
        135⤵
        
        PID:328
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:3644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1272
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        136⤵
        
        PID:1748
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        137⤵
        
        PID:1800
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\azsvGH6uxj11.bat" "
        137⤵
        
        PID:1768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:2112
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        Runs ping.exe
        
        PID:1764
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        138⤵
        
        PID:4228
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        139⤵
        
        PID:4220
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ODxmXnIXan9g.bat" "
        139⤵
        
        PID:1448
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:3000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        140⤵
        
        PID:3664
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        141⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1368
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zTIgi2xuJ7Ab.bat" "
        141⤵
        
        PID:3884
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:1312
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        142⤵
        
        PID:2020
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        143⤵
        
        PID:2480
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e1ZuqDjvc0a6.bat" "
        143⤵
        
        PID:4936
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:3680
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        Runs ping.exe
        
        PID:2236
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        144⤵
        
        PID:1312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        145⤵
        
        PID:3164
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IAHWPThwmwFb.bat" "
        145⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:1840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        146⤵
        Checks computer location settings
        
        PID:5076
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        147⤵
        
        PID:3180
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\utCdkTaB7hOD.bat" "
        147⤵
        
        PID:4536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:1732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        
        PID:2112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        148⤵
        
        PID:4976
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        149⤵
        
        PID:3408
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RIlv76vEyl3E.bat" "
        149⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:2368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        150⤵
        Checks computer location settings
        
        PID:4444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        151⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qC87H07b3Axl.bat" "
        151⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        152⤵
        Runs ping.exe
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        152⤵
        
        PID:2368
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        153⤵
        
        PID:4580
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoI1vnosxJK3.bat" "
        153⤵
        
        PID:2316
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:3560
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        154⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        154⤵
        Checks computer location settings
        
        PID:852
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        155⤵
        
        PID:1056
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\44zRnfq2nmiH.bat" "
        155⤵
        
        PID:1812
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:3540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        156⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2644
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        156⤵
        
        PID:3560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        157⤵
        
        PID:4308
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ey7KCmfnbyQP.bat" "
        157⤵
        
        PID:1104
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:4248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        158⤵
        Runs ping.exe
        
        PID:2532
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        158⤵
        
        PID:2644
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        159⤵
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8ipw3VVyFD64.bat" "
        159⤵
        
        PID:2056
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:32
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        160⤵
        Runs ping.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        160⤵
        
        PID:4468
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        161⤵
        
        PID:736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0bppod4oijgH.bat" "
        161⤵
        
        PID:3200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:3476
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        162⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        162⤵
        
        PID:2488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        163⤵
        
        PID:1244
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ehDERvHIuiRx.bat" "
        163⤵
        
        PID:3948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        164⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        164⤵
        
        PID:5072
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        165⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\krtGPGTFxAtR.bat" "
        165⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        166⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        166⤵
        Checks computer location settings
        
        PID:2348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        167⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:860
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0pMQ4QYIb0yK.bat" "
        167⤵
        
        PID:736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:1184
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        168⤵
        Runs ping.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        168⤵
        
        PID:860
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        169⤵
        
        PID:2372
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\h93qjO5n9ZPo.bat" "
        169⤵
        
        PID:1500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:5064
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        170⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        170⤵
        Checks computer location settings
        
        PID:2752
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        171⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4344
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lpcwydaJRbmC.bat" "
        171⤵
        
        PID:1768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:3048
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        172⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1104
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        172⤵
        
        PID:2112
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        173⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1184
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\eOOdGUe5FnE1.bat" "
        173⤵
        
        PID:2188
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        174⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        174⤵
        
        PID:1804

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3920
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  PID:3476
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:3868

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4944
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  PID:3872
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:1072
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    PID:3316
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4sPEu6RUalRS.bat" "
    3⤵
    PID:5096
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:636
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      System Network Configuration Discovery: Internet Connection Discovery
      PID:2164
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:4304
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        
        PID:3004
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\EqXhwU2VV1O4.bat" "
        5⤵
        
        PID:5104
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:3404
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        
        PID:2732
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        
        PID:3020
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ucrnbsuv0vP6.bat" "
        7⤵
        
        PID:2924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:4640
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        
        PID:1260
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        
        PID:5072
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pmsKFC1xIAd3.bat" "
        9⤵
        
        PID:2320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:3744
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        
        PID:4764
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        
        PID:4784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\k9B5adDk3AVN.bat" "
        11⤵
        
        PID:1280
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:2648
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Executes dropped EXE
        
        PID:3124

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:2312
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  PID:1128
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SendNotifyMessage
  PID:4956
- - C:\Windows\SYSTEM32\schtasks.exe
    "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
    3⤵
    PID:116
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\epXoiveg0Lfw.bat" "
    3⤵
    PID:2848
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:3024
  - - C:\Windows\system32\PING.EXE
      ping -n 10 localhost
      4⤵
      PID:4352
  - - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
      "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SendNotifyMessage
      PID:3668
    - - C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        5⤵
        
        PID:2076
    - - C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\bOe9kkLFW2Nd.bat" "
        5⤵
        
        PID:4760
      - C:\Windows\system32\chcp.com
        
        chcp 65001
        6⤵
        
        PID:1256
      - C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        6⤵
        
        PID:472
      - C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        6⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        7⤵
        
        PID:4448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mw0pIFVHLOPO.bat" "
        7⤵
        
        PID:2408
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        8⤵
        
        PID:2512
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        8⤵
        Runs ping.exe
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        8⤵
        Executes dropped EXE
        
        PID:3848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2420
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Bhalzl5r7JY1.bat" "
        9⤵
        
        PID:3376
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        10⤵
        
        PID:1248
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        10⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1556
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        10⤵
        Executes dropped EXE
        
        PID:3104
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        11⤵
        
        PID:2484
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jeN6ga5J9EkC.bat" "
        11⤵
        
        PID:4080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        12⤵
        
        PID:8
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        12⤵
        Runs ping.exe
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3700
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e5QrQzp4xirA.bat" "
        13⤵
        
        PID:3900
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        14⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        14⤵
        Runs ping.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:1704
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        15⤵
        
        PID:1416
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vGH2ZwOl0Tx1.bat" "
        15⤵
        
        PID:3932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        16⤵
        
        PID:5044
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        16⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4500
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        16⤵
        Executes dropped EXE
        
        PID:4708
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ysMerRHLifEN.bat" "
        17⤵
        
        PID:1720
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        18⤵
        
        PID:2524
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        18⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:4960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        19⤵
        
        PID:2556
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\462DWIhgZZcs.bat" "
        19⤵
        
        PID:3492
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        20⤵
        
        PID:3700
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        20⤵
        
        PID:2916
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        20⤵
        Executes dropped EXE
        
        PID:648
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        21⤵
        
        PID:3144
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zpYVr6FZVz4K.bat" "
        21⤵
        
        PID:1728
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        22⤵
        
        PID:3408
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        22⤵
        Runs ping.exe
        
        PID:1284
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        22⤵
        Executes dropped EXE
        
        PID:3700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        23⤵
        
        PID:1840
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aFz847OVImVl.bat" "
        23⤵
        
        PID:2816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        24⤵
        
        PID:3404
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        24⤵
        
        PID:4820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        24⤵
        Executes dropped EXE
        
        PID:1696
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        25⤵
        
        PID:980
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zIz4bBLi4E2r.bat" "
        25⤵
        
        PID:5032
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        26⤵
        
        PID:1080
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        26⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        26⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        27⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3868
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6XpHWDnBt493.bat" "
        27⤵
        
        PID:2436
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        28⤵
        
        PID:4444
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        28⤵
        
        PID:3352
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        28⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:2952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        29⤵
        
        PID:1920
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Am7LiCvM587e.bat" "
        29⤵
        
        PID:2520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        30⤵
        
        PID:1768
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        30⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        30⤵
        
        PID:5108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        31⤵
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\2RufMqXssIly.bat" "
        31⤵
        
        PID:2360
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        32⤵
        
        PID:1156
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        32⤵
        
        PID:3468
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        32⤵
        
        PID:3960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        33⤵
        
        PID:4500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dHwLL5UFD0CB.bat" "
        33⤵
        
        PID:3196
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        34⤵
        
        PID:2392
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        34⤵
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        34⤵
        
        PID:1920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        35⤵
        
        PID:2916
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wIqJUHwujHzz.bat" "
        35⤵
        
        PID:3404
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        36⤵
        
        PID:3816
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        36⤵
        Runs ping.exe
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        36⤵
        
        PID:2396
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        37⤵
        
        PID:1120
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VWTIozC0z5RS.bat" "
        37⤵
        
        PID:4388
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        38⤵
        
        PID:3644
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        38⤵
        
        PID:3664
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        38⤵
        
        PID:4792
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        39⤵
        
        PID:2208
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qebhtTESEoGF.bat" "
        39⤵
        
        PID:2528
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        40⤵
        
        PID:2192
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        40⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        40⤵
        
        PID:4848
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        41⤵
        
        PID:2272
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\aRSOnHYYaRWD.bat" "
        41⤵
        
        PID:1620
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        42⤵
        
        PID:1368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        42⤵
        
        PID:1900
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        42⤵
        Checks computer location settings
        
        PID:3028
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        43⤵
        
        PID:1892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\QyLnDY87AUht.bat" "
        43⤵
        
        PID:4536
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        44⤵
        
        PID:4840
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        44⤵
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        44⤵
        
        PID:3876
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        45⤵
        
        PID:3984
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Mnyk2IBrH7oe.bat" "
        45⤵
        
        PID:2896
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        46⤵
        
        PID:3084
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        46⤵
        
        PID:928
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        46⤵
        
        PID:2700
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        47⤵
        
        PID:3000
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mrN3Z3TKYRBb.bat" "
        47⤵
        
        PID:1700
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        48⤵
        
        PID:4696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        48⤵
        
        PID:696
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        48⤵
        
        PID:3176
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1488
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\b9Y7j9M2RKKc.bat" "
        49⤵
        
        PID:1140
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        50⤵
        
        PID:3772
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        50⤵
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        50⤵
        
        PID:4448
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        51⤵
        
        PID:1284
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\qvx5T9t82yiG.bat" "
        51⤵
        
        PID:3916
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        52⤵
        
        PID:692
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        52⤵
        Runs ping.exe
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        52⤵
        
        PID:4488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        53⤵
        
        PID:5088
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LR6hPXjZmre8.bat" "
        53⤵
        
        PID:2680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        54⤵
        
        PID:2784
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        54⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        54⤵
        
        PID:560
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        55⤵
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zglmebT9VTSV.bat" "
        55⤵
        
        PID:1800
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        56⤵
        
        PID:3740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        56⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1708
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        56⤵
        Checks computer location settings
        
        PID:2108
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        57⤵
        
        PID:1948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\xJosu5oluUuz.bat" "
        57⤵
        
        PID:3320
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        58⤵
        
        PID:2272
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        58⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:524
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        58⤵
        
        PID:4464
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        59⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\enPUJwYfRbdc.bat" "
        59⤵
        
        PID:3548
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        60⤵
        
        PID:3716
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        60⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        60⤵
        
        PID:2124
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        61⤵
        
        PID:1364
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\WwMRgfsbLGHF.bat" "
        61⤵
        
        PID:1144
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        62⤵
        
        PID:2240
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        62⤵
        
        PID:2196
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        62⤵
        
        PID:1308
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        63⤵
        
        PID:3836
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1CTRzTLJ9pzj.bat" "
        63⤵
        
        PID:932
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        64⤵
        
        PID:4832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        64⤵
        
        PID:3912
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        64⤵
        Checks computer location settings
        
        PID:1092
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        65⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4288
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XtURYQ0QXwCP.bat" "
        65⤵
        
        PID:2276
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        66⤵
        
        PID:3504
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        66⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        66⤵
        Checks computer location settings
        
        PID:992
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        67⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\1tIONdlSn4Qx.bat" "
        67⤵
        
        PID:4080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        68⤵
        
        PID:2916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        68⤵
        
        PID:3168
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        68⤵
        Checks computer location settings
        
        PID:3836
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3312
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\DgFBkxa9eoUM.bat" "
        69⤵
        
        PID:3200
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        70⤵
        
        PID:4656
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        70⤵
        
        PID:3736
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        70⤵
        
        PID:4288
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        71⤵
        
        PID:1228
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\azRhYcWixrn0.bat" "
        71⤵
        
        PID:4344
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        72⤵
        
        PID:2428
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        72⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:980
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        72⤵
        
        PID:4188
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        73⤵
        
        PID:2168
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\nkalzgzUoLxY.bat" "
        73⤵
        
        PID:1080
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        74⤵
        
        PID:2036
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        74⤵
        
        PID:4552
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        74⤵
        
        PID:3312
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        75⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2892
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3RVhecn5un8I.bat" "
        75⤵
        
        PID:4220
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        76⤵
        
        PID:3368
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        76⤵
        
        PID:5024
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        76⤵
        
        PID:392
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        77⤵
        
        PID:4352
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\8Wag4Bebp3ve.bat" "
        77⤵
        
        PID:1312
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        78⤵
        
        PID:2696
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        78⤵
        
        PID:788
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        78⤵
        
        PID:2444
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        79⤵
        
        PID:2252
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\yptMRhUsE9yg.bat" "
        79⤵
        
        PID:3040
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        80⤵
        
        PID:880
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        80⤵
        Runs ping.exe
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        80⤵
        
        PID:2304
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2424
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\87hphZRkoF0D.bat" "
        81⤵
        
        PID:3948
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        82⤵
        
        PID:3916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        82⤵
        Runs ping.exe
        
        PID:3920
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        82⤵
        
        PID:984
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        83⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\IFjmN3TfZl2h.bat" "
        83⤵
        
        PID:3816
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        84⤵
        
        PID:4844
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        84⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:624
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        84⤵
        
        PID:1488
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1748
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\HSC6LTSP3EyI.bat" "
        85⤵
        
        PID:980
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        86⤵
        
        PID:3748
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        86⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        86⤵
        
        PID:2516
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        87⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hgoOyrKJP3lf.bat" "
        87⤵
        
        PID:2152
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        88⤵
        
        PID:4548
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        88⤵
        
        PID:4164
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        88⤵
        
        PID:3424
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4844
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\mQ9xjhfHLEtM.bat" "
        89⤵
        
        PID:5012
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        90⤵
        
        PID:3000
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        90⤵
        
        PID:3716
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        90⤵
        
        PID:900
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        91⤵
        
        PID:1760
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\q1N70TN12ael.bat" "
        91⤵
        
        PID:692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        92⤵
        
        PID:3932
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        92⤵
        
        PID:4120
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        92⤵
        Checks computer location settings
        
        PID:2548
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        93⤵
        
        PID:1100
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\PjW3Cxxy10Rn.bat" "
        93⤵
        
        PID:1052
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        94⤵
        
        PID:3752
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        94⤵
        
        PID:3956
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        94⤵
        
        PID:4152
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        95⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1500
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\YyxKlRzvQizB.bat" "
        95⤵
        
        PID:1272
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        96⤵
        
        PID:964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        96⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4268
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        96⤵
        
        PID:2148
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3116
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\0HC7XgwBA4vn.bat" "
        97⤵
        
        PID:520
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        98⤵
        
        PID:4832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        98⤵
        Runs ping.exe
        
        PID:1184
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        98⤵
        Checks computer location settings
        
        PID:1036
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        99⤵
        
        PID:4528
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\E6sX2YZf06zz.bat" "
        99⤵
        
        PID:3820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        100⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        100⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:3924
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        100⤵
        
        PID:3436
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        101⤵
        
        PID:2776
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\VLOi8IbTmsoP.bat" "
        101⤵
        
        PID:3048
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        102⤵
        
        PID:2624
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        102⤵
        
        PID:192
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        102⤵
        
        PID:2612
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        103⤵
        
        PID:2732
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Uq50DVRKyVGL.bat" "
        103⤵
        
        PID:3920
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        104⤵
        
        PID:2360
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        104⤵
        Runs ping.exe
        
        PID:328
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        104⤵
        
        PID:1952
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        105⤵
        
        PID:2200
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6RR8q2Bvhb4w.bat" "
        105⤵
        
        PID:4460
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        106⤵
        
        PID:3492
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        106⤵
        Runs ping.exe
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        106⤵
        
        PID:3352
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        107⤵
        
        PID:4576
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7TgebImmtUW3.bat" "
        107⤵
        
        PID:4268
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        108⤵
        
        PID:1760
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        108⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        108⤵
        
        PID:4080
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        109⤵
        
        PID:2680
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\5LI7wlhU6CAj.bat" "
        109⤵
        
        PID:4592
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        110⤵
        
        PID:2316
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        110⤵
        
        PID:1840
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        110⤵
        
        PID:5012
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        111⤵
        
        PID:3076
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sufqtS53Mxb1.bat" "
        111⤵
        
        PID:3820
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        112⤵
        
        PID:1780
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        112⤵
        Runs ping.exe
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        112⤵
        Checks computer location settings
        
        PID:1144
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        113⤵
        
        PID:3644
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ZStxxkZGiNaA.bat" "
        113⤵
        
        PID:4248
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        114⤵
        
        PID:1304
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        114⤵
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        114⤵
        
        PID:4632
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        115⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3084
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\fVDWkFsYjzyZ.bat" "
        115⤵
        
        PID:3752
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        116⤵
        
        PID:4420
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        116⤵
        Runs ping.exe
        
        PID:1604
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        116⤵
        Checks computer location settings
        
        PID:1208
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        117⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wC13sC789ywF.bat" "
        117⤵
        
        PID:3468
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        118⤵
        
        PID:5040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        118⤵
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        118⤵
        
        PID:1348
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        119⤵
        
        PID:4696
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\A5oiZUEBOCm6.bat" "
        119⤵
        
        PID:3500
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        120⤵
        
        PID:4856
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        120⤵
        
        PID:1112
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        120⤵
        
        PID:820
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        121⤵
        
        PID:4784
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\hoozXRkK2tvU.bat" "
        121⤵
        
        PID:3736
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        122⤵
        
        PID:1732
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        122⤵
        Runs ping.exe
        
        PID:3548
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        122⤵
        Checks computer location settings
        
        PID:3040
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        123⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1012
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\RrQhv495btci.bat" "
        123⤵
        
        PID:2788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        124⤵
        
        PID:2208
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        124⤵
        
        PID:4856
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        124⤵
        
        PID:3376
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        125⤵
        
        PID:1112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Rt9PksJDn7ND.bat" "
        125⤵
        
        PID:4484
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        126⤵
        
        PID:568
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        126⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3476
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        126⤵
        
        PID:2892
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        127⤵
        
        PID:3712
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rtXfurIEf1nS.bat" "
        127⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        128⤵
        
        PID:116
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        128⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        128⤵
        
        PID:4120
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        129⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3948
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dVZ6aWmKQYpn.bat" "
        129⤵
        
        PID:3868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        130⤵
        
        PID:2460
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        130⤵
        
        PID:4228
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        130⤵
        
        PID:3880
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        131⤵
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Ij4a1IzrbnYM.bat" "
        131⤵
        
        PID:1840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        132⤵
        
        PID:3832
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        132⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        132⤵
        
        PID:2200
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        133⤵
        
        PID:4592
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\6DSyRrKbMY6m.bat" "
        133⤵
        
        PID:4352
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        134⤵
        
        PID:740
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        134⤵
        
        PID:3576
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        134⤵
        Checks computer location settings
        
        PID:3920
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        135⤵
        
        PID:3736
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\o4XSSSP1zUrs.bat" "
        135⤵
        
        PID:788
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        136⤵
        
        PID:4936
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        136⤵
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        136⤵
        Checks computer location settings
        
        PID:2460
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        137⤵
        
        PID:1812
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\70u4hfOKZnwm.bat" "
        137⤵
        
        PID:2208
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        138⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        138⤵
        Runs ping.exe
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        138⤵
        Checks computer location settings
        
        PID:2476
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        139⤵
        
        PID:3824
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\4ehG5EVTcYLa.bat" "
        139⤵
        
        PID:3868
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        140⤵
        
        PID:3916
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        140⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        140⤵
        
        PID:2320
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        141⤵
        
        PID:4856
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\9k9Mu53sx4ac.bat" "
        141⤵
        
        PID:4840
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        142⤵
        
        PID:3024
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        142⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        142⤵
        Checks computer location settings
        
        PID:1912
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        143⤵
        
        PID:3976
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\N9pExcaQG6SG.bat" "
        143⤵
        
        PID:2624
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        144⤵
        
        PID:3204
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        144⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        144⤵
        
        PID:3024
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        145⤵
        
        PID:4224
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\L07fWXasP8Nn.bat" "
        145⤵
        
        PID:860
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        146⤵
        
        PID:5040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        146⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        146⤵
        
        PID:4972
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        147⤵
        
        PID:5064
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\3V2SmrBkGSF9.bat" "
        147⤵
        
        PID:4364
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        148⤵
        
        PID:3540
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        148⤵
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        148⤵
        
        PID:624
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        149⤵
        
        PID:1620
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\sD3JQB0hEPbh.bat" "
        149⤵
        
        PID:4076
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        150⤵
        
        PID:2168
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        150⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3288
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        150⤵
        Checks computer location settings
        
        PID:2960
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        151⤵
        
        PID:1280
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Hj5hHk5RGnnc.bat" "
        151⤵
        
        PID:3924
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        152⤵
        
        PID:964
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        152⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4308
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        152⤵
        
        PID:4472
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        153⤵
        
        PID:2808
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\7l94WCydreuU.bat" "
        153⤵
        
        PID:3680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        154⤵
        
        PID:3576
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        154⤵
        
        PID:3868
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        154⤵
        
        PID:3044
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        155⤵
        
        PID:1956
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\c3JDkQm05DSE.bat" "
        155⤵
        
        PID:4608
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        156⤵
        
        PID:3300
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        156⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        156⤵
        
        PID:1676
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        157⤵
        
        PID:1448
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\rL4rTl7ALs6W.bat" "
        157⤵
        
        PID:2432
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        158⤵
        
        PID:3688
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        158⤵
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:1012
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        158⤵
        
        PID:4608
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        159⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2112
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\Q6b1iwl3vX77.bat" "
        159⤵
        
        PID:1692
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        160⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        160⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3048
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        160⤵
        Checks computer location settings
        
        PID:1716
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        161⤵
        
        PID:3780
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\LG8eHqGt9fIH.bat" "
        161⤵
        
        PID:2372
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        162⤵
        
        PID:2908
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        162⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:3000
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        162⤵
        Checks computer location settings
        
        PID:3540
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        163⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3196
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\H4SMpFqTtSLk.bat" "
        163⤵
        
        PID:1184
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        164⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        164⤵
        
        PID:3200
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        164⤵
        Checks computer location settings
        
        PID:2896
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        165⤵
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ddNGANkh3gro.bat" "
        165⤵
        
        PID:4952
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        166⤵
        
        PID:1104
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        166⤵
        Runs ping.exe
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        166⤵
        
        PID:3916
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        167⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\e5kc2L2R3dse.bat" "
        167⤵
        
        PID:1780
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        168⤵
        
        PID:4532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        168⤵
        Runs ping.exe
        
        PID:3984
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        168⤵
        
        PID:3164
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        169⤵
        
        PID:2360
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\BGpJB8zryDEY.bat" "
        169⤵
        
        PID:3680
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        170⤵
        
        PID:2532
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        170⤵
        System Network Configuration Discovery: Internet Connection Discovery
        
        PID:4592
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        170⤵
        
        PID:3100
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        171⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2560
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\vUWRfBsTpMmJ.bat" "
        171⤵
        
        PID:2572
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        172⤵
        
        PID:2736
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        172⤵
        
        PID:1692
        
        C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
        
        "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
        172⤵
        
        PID:2532
        
        C:\Windows\SYSTEM32\schtasks.exe
        
        "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
        173⤵
        
        PID:1584
        
        C:\Windows\system32\cmd.exe
        
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\XwNTpDhhrELE.bat" "
        173⤵
        
        PID:1768
        
        C:\Windows\system32\chcp.com
        
        chcp 65001
        174⤵
        
        PID:5040
        
        C:\Windows\system32\PING.EXE
        
        ping -n 10 localhost
        174⤵
        Runs ping.exe
        
        PID:3300

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:1688
- C:\Windows\SYSTEM32\schtasks.exe
  "schtasks" /create /tn "Windows Update" /sc ONLOGON /tr "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe" /rl HIGHEST /f
  2⤵
  - Scheduled Task/Job: Scheduled Task
  PID:636
- C:\Users\Admin\AppData\Roaming\SubDir\Client.exe
  "C:\Users\Admin\AppData\Roaming\SubDir\Client.exe"
  2⤵
  - Executes dropped EXE
  PID:2840

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2096

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:4080

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
PID:3492

C:\Users\Admin\Desktop\Client-built.exe
"C:\Users\Admin\Desktop\Client-built.exe"
1⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2540

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:4044

C:\Users\Admin\Desktop\Client.exe
"C:\Users\Admin\Desktop\Client.exe"
1⤵
PID:3816

C:\Users\Admin\Desktop\Client(1).exe
"C:\Users\Admin\Desktop\Client(1).exe"
1⤵
- Executes dropped EXE
PID:4612

C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.SecHealthUI_cw5n1h2txyewy\SecHealthUI.exe" -ServerName:SecHealthUI.AppXep4x2tbtjws1v9qqs0rmb3hxykvkpqtn.mca
1⤵
- Suspicious use of SetWindowsHookEx
PID:2084

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:2420

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:4612

C:\Windows\System32\SecurityHealthHost.exe
C:\Windows\System32\SecurityHealthHost.exe {E041C90B-68BA-42C9-991E-477B73A75C90} -Embedding
1⤵
PID:3376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

Persistence

Scheduled Task/Job

T1053

Scheduled Task

Privilege Escalation

Scheduled Task/Job

T1053

Scheduled Task

Defense Evasion

Subvert Trust Controls

T1553

SIP and Trust Provider Hijacking

T1553.003

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

Remote System Discovery

T1018

System Information Discovery