asyncrat | 2bd89e81853bbc112cfeb62b676beb0cfc741262bf9e226e15768062e6a14d6a

Analysis

max time kernel
252s
max time network
255s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/01/2025, 09:35

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

CODEX17-NUKER.exe
Size

10.2MB
MD5

41d910d583bb0000139e4ba501b85ed3
SHA1

3f6385ebe1cfb5a9498b5a24eb18e356b4e89731
SHA256

2bd89e81853bbc112cfeb62b676beb0cfc741262bf9e226e15768062e6a14d6a
SHA512

1580ba5c349e73e38fe899e7498a644bba4c62e95e6c740d330308692916d2f9375af43d560d9041d1b38a5b22e105f687a9f811b7310e396d3590abd1b00fad
SSDEEP

196608:HB7XMxQfsWshAvneXaRxoWpVvjQeuRzTB1WcWrRfVuKcFOrRV5/oRKG9zh:h78xQkWshmNoWTvHQTBatoOrJA0GZh

Score

10^/10

asyncrat xworm fucked up by codex17 execution persistence rat trojan

Malware Config

Extracted

Family

asyncrat

Botnet

FUCKED UP BY CODEX17

105.101.179.171:38672

Attributes

delay
1
install
true
install_file
Anti Spyware core service.exe
install_folder
%AppData%

aes.plain

Extracted

Family

xworm

hall-shine.gl.at.ply.gg:37734

Attributes

Install_directory
%AppData%
install_file
USB.exe
telegram
https://api.telegram.org/bot7581317328:AAHSOYBRXtxAC4eNoBHxtvJwUlAqgnnRcoc/sendMessage?chat_id=6229207397

Signatures

AsyncRat
AsyncRAT is designed to remotely monitor and control other computers written in C#.
rat asyncrat
Asyncrat family
asyncrat

Detect Xworm Payload 2 IoCs

resource	yara_rule
behavioral1/files/0x0004000000012000-28.dat	family_xworm
behavioral1/memory/2584-30-0x0000000000FD0000-0x0000000000FEA000-memory.dmp	family_xworm

Xworm
Xworm is a remote access trojan written in C#.
trojan rat xworm
Xworm family
xworm

Async RAT payload 1 IoCs

rat

resource	yara_rule
behavioral1/files/0x00120000000054a9-13.dat	family_asyncrat

Command and Scripting Interpreter: PowerShell 1 TTPs 64 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
592	powershell.exe
2928	powershell.exe
1688	powershell.exe
2752	powershell.exe
1656	powershell.exe
2124	powershell.exe
1876	powershell.exe
844	powershell.exe
2412	powershell.exe
3028	powershell.exe
2704	powershell.exe
1656	powershell.exe
2704	powershell.exe
236	powershell.exe
2320	powershell.exe
1976	powershell.exe
2104	powershell.exe
2944	powershell.exe
236	powershell.exe
940	powershell.exe
2068	powershell.exe
1268	powershell.exe
2308	powershell.exe
2404	powershell.exe
1968	powershell.exe
1768	powershell.exe
2864	powershell.exe
2808	powershell.exe
1044	powershell.exe
3016	powershell.exe
1316	powershell.exe
1976	powershell.exe
2096	powershell.exe
1528	powershell.exe
668	powershell.exe
3004	powershell.exe
2516	powershell.exe
2288	powershell.exe
3000	powershell.exe
2624	powershell.exe
1360	powershell.exe
1980	powershell.exe
2212	powershell.exe
860	powershell.exe
2912	powershell.exe
2496	powershell.exe
1844	powershell.exe
1648	powershell.exe
3056	powershell.exe
3068	powershell.exe
2092	powershell.exe
2304	powershell.exe
2312	powershell.exe
2168	powershell.exe
1572	powershell.exe
1816	powershell.exe
2288	powershell.exe
2256	powershell.exe
2080	powershell.exe
2340	powershell.exe
1732	powershell.exe
2964	powershell.exe
2864	powershell.exe
848	powershell.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.lnk	Microsoft update.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Microsoft update.lnk	Microsoft update.exe

Executes dropped EXE 64 IoCs

pid	Process
1632	Anti Spyware core service.exe
2584	Microsoft update.exe
2292	Anti Spyware core service.exe
548	Anti Spyware core service.exe
2488	Microsoft update.exe
2044	Anti Spyware core service.exe
2944	Microsoft update.exe
788	Anti Spyware core service.exe
2112	Anti Spyware core service.exe
2284	Microsoft update.exe
2064	Anti Spyware core service.exe
1860	Anti Spyware core service.exe
580	Microsoft update.exe
2844	Anti Spyware core service.exe
2848	Microsoft update.exe
484	Anti Spyware core service.exe
2588	Anti Spyware core service.exe
1608	Microsoft update.exe
900	Anti Spyware core service.exe
1844	Microsoft update.exe
2016	Anti Spyware core service.exe
904	Anti Spyware core service.exe
720	Microsoft update.exe
2000	Anti Spyware core service.exe
1868	Anti Spyware core service.exe
1548	Microsoft update.exe
2056	Anti Spyware core service.exe
580	Anti Spyware core service.exe
2908	Microsoft update.exe
1348	Anti Spyware core service.exe
2356	Anti Spyware core service.exe
1644	Microsoft update.exe
2624	Anti Spyware core service.exe
2336	Anti Spyware core service.exe
576	Microsoft update.exe
940	Anti Spyware core service.exe
2944	Anti Spyware core service.exe
2348	Microsoft update.exe
1772	Anti Spyware core service.exe
1812	Microsoft update.exe
1364	Anti Spyware core service.exe
1924	Anti Spyware core service.exe
1572	Microsoft update.exe
1152	Anti Spyware core service.exe
2120	Microsoft update.exe
2724	Anti Spyware core service.exe
924	Anti Spyware core service.exe
2924	Microsoft update.exe
1096	Anti Spyware core service.exe
720	Microsoft update.exe
2900	Anti Spyware core service.exe
2716	Anti Spyware core service.exe
1876	Microsoft update.exe
592	Anti Spyware core service.exe
2372	Anti Spyware core service.exe
984	Microsoft update.exe
1508	Anti Spyware core service.exe
1772	Microsoft update.exe
1612	Anti Spyware core service.exe
800	Anti Spyware core service.exe
608	Microsoft update.exe
1000	Anti Spyware core service.exe
1836	Anti Spyware core service.exe
2764	Microsoft update.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft update"	Microsoft update.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Anti Spyware core service = "C:\\Windows\\System32\\Anti Spyware core service.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft update = "C:\\Windows\\System32\\Microsoft update.exe"	CODEX17-NUKER.exe

Looks up external IP address via web service 4 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
4	ip-api.com
39	ip-api.com
71	ip-api.com
98	ip-api.com

Drops file in System32 directory 64 IoCs

description	ioc	Process
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File created	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Microsoft update.exe	CODEX17-NUKER.exe
File opened for modification	C:\Windows\System32\Anti Spyware core service.exe	CODEX17-NUKER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Delays execution with timeout.exe 37 IoCs

defense_evasion

pid	Process
2476	timeout.exe
2304	timeout.exe
2904	timeout.exe
2320	timeout.exe
2064	timeout.exe
3068	timeout.exe
2976	timeout.exe
1768	timeout.exe
1696	timeout.exe
2816	timeout.exe
2740	timeout.exe
1264	timeout.exe
1736	timeout.exe
2772	timeout.exe
2096	timeout.exe
1720	timeout.exe
1052	timeout.exe
1156	timeout.exe
552	timeout.exe
2436	timeout.exe
1724	timeout.exe
1772	timeout.exe
2560	timeout.exe
2720	timeout.exe
2352	timeout.exe
2368	timeout.exe
1812	timeout.exe
2208	timeout.exe
1036	timeout.exe
580	timeout.exe
1800	timeout.exe
1540	timeout.exe
2036	timeout.exe
1616	timeout.exe
2144	timeout.exe
1860	timeout.exe
2988	timeout.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 38 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2276	schtasks.exe
2332	schtasks.exe
2636	schtasks.exe
1772	schtasks.exe
884	schtasks.exe
2964	schtasks.exe
1756	schtasks.exe
1876	schtasks.exe
2348	schtasks.exe
2004	schtasks.exe
2168	schtasks.exe
1616	schtasks.exe
2844	schtasks.exe
2768	schtasks.exe
1652	schtasks.exe
1944	schtasks.exe
1688	schtasks.exe
3052	schtasks.exe
2564	schtasks.exe
3032	schtasks.exe
1596	schtasks.exe
2312	schtasks.exe
2068	schtasks.exe
2704	schtasks.exe
2788	schtasks.exe
2844	schtasks.exe
1704	schtasks.exe
1652	schtasks.exe
1804	schtasks.exe
2812	schtasks.exe
2744	schtasks.exe
2200	schtasks.exe
1256	schtasks.exe
2108	schtasks.exe
1996	schtasks.exe
2300	schtasks.exe
2604	schtasks.exe
2572	schtasks.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2584	Microsoft update.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2692	CODEX17-NUKER.exe
2692	CODEX17-NUKER.exe
2692	CODEX17-NUKER.exe
2684	powershell.exe
3056	powershell.exe
1632	Anti Spyware core service.exe
1632	Anti Spyware core service.exe
1632	Anti Spyware core service.exe
1632	Anti Spyware core service.exe
1632	Anti Spyware core service.exe
2572	CODEX17-NUKER.exe
2572	CODEX17-NUKER.exe
2572	CODEX17-NUKER.exe
1876	powershell.exe
1040	powershell.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
1528	powershell.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
1268	powershell.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2308	powershell.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
1732	powershell.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe
2292	Anti Spyware core service.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	CODEX17-NUKER.exe
Token: SeDebugPrivilege	2684	powershell.exe
Token: SeDebugPrivilege	3056	powershell.exe
Token: SeDebugPrivilege	2584	Microsoft update.exe
Token: SeDebugPrivilege	2572	CODEX17-NUKER.exe
Token: SeDebugPrivilege	1632	Anti Spyware core service.exe
Token: SeDebugPrivilege	1876	powershell.exe
Token: SeDebugPrivilege	1040	powershell.exe
Token: SeDebugPrivilege	2488	Microsoft update.exe
Token: SeDebugPrivilege	2292	Anti Spyware core service.exe
Token: SeDebugPrivilege	548	Anti Spyware core service.exe
Token: SeDebugPrivilege	2400	CODEX17-NUKER.exe
Token: SeDebugPrivilege	1528	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2308	powershell.exe
Token: SeDebugPrivilege	1732	powershell.exe
Token: SeDebugPrivilege	2584	Microsoft update.exe
Token: SeDebugPrivilege	2752	powershell.exe
Token: SeDebugPrivilege	2892	powershell.exe
Token: SeDebugPrivilege	2944	Microsoft update.exe
Token: SeDebugPrivilege	2692	taskmgr.exe
Token: SeDebugPrivilege	2588	CODEX17-NUKER.exe
Token: SeDebugPrivilege	2044	Anti Spyware core service.exe
Token: SeDebugPrivilege	844	powershell.exe
Token: SeDebugPrivilege	1308	powershell.exe
Token: SeDebugPrivilege	2284	Microsoft update.exe
Token: SeDebugPrivilege	788	Anti Spyware core service.exe
Token: SeDebugPrivilege	1876	CODEX17-NUKER.exe
Token: SeDebugPrivilege	888	powershell.exe
Token: SeDebugPrivilege	1460	powershell.exe
Token: SeDebugPrivilege	580	Microsoft update.exe
Token: SeDebugPrivilege	2064	Anti Spyware core service.exe
Token: SeDebugPrivilege	2128	CODEX17-NUKER.exe
Token: SeDebugPrivilege	1860	Anti Spyware core service.exe
Token: SeDebugPrivilege	2016	powershell.exe
Token: SeDebugPrivilege	668	powershell.exe
Token: SeDebugPrivilege	2848	Microsoft update.exe
Token: SeDebugPrivilege	2788	CODEX17-NUKER.exe
Token: SeDebugPrivilege	2844	Anti Spyware core service.exe
Token: SeDebugPrivilege	2412	powershell.exe
Token: SeDebugPrivilege	2212	powershell.exe
Token: SeDebugPrivilege	1608	Microsoft update.exe
Token: SeDebugPrivilege	484	Anti Spyware core service.exe
Token: SeDebugPrivilege	2588	Anti Spyware core service.exe
Token: SeDebugPrivilege	2964	CODEX17-NUKER.exe
Token: SeDebugPrivilege	1044	powershell.exe
Token: SeDebugPrivilege	3068	powershell.exe
Token: SeDebugPrivilege	1844	Microsoft update.exe
Token: SeDebugPrivilege	900	Anti Spyware core service.exe
Token: SeDebugPrivilege	1572	CODEX17-NUKER.exe
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	3016	powershell.exe
Token: SeDebugPrivilege	720	Microsoft update.exe
Token: SeDebugPrivilege	904	Anti Spyware core service.exe
Token: SeDebugPrivilege	1648	CODEX17-NUKER.exe
Token: SeDebugPrivilege	1816	powershell.exe
Token: SeDebugPrivilege	2768	powershell.exe
Token: SeDebugPrivilege	1548	Microsoft update.exe
Token: SeDebugPrivilege	1868	Anti Spyware core service.exe
Token: SeDebugPrivilege	2244	CODEX17-NUKER.exe
Token: SeDebugPrivilege	2964	powershell.exe
Token: SeDebugPrivilege	1268	powershell.exe
Token: SeDebugPrivilege	2908	Microsoft update.exe
Token: SeDebugPrivilege	3012	CODEX17-NUKER.exe

Suspicious use of FindShellTrayWindow 14 IoCs

pid	Process
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe

Suspicious use of SendNotifyMessage 14 IoCs

pid	Process
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe
2692	taskmgr.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 2572	2692	CODEX17-NUKER.exe	31
PID 2692 wrote to memory of 2572	2692	CODEX17-NUKER.exe	31
PID 2692 wrote to memory of 2572	2692	CODEX17-NUKER.exe	31
PID 2692 wrote to memory of 2684	2692	CODEX17-NUKER.exe	32
PID 2692 wrote to memory of 2684	2692	CODEX17-NUKER.exe	32
PID 2692 wrote to memory of 2684	2692	CODEX17-NUKER.exe	32
PID 2692 wrote to memory of 1632	2692	CODEX17-NUKER.exe	34
PID 2692 wrote to memory of 1632	2692	CODEX17-NUKER.exe	34
PID 2692 wrote to memory of 1632	2692	CODEX17-NUKER.exe	34
PID 2692 wrote to memory of 3056	2692	CODEX17-NUKER.exe	35
PID 2692 wrote to memory of 3056	2692	CODEX17-NUKER.exe	35
PID 2692 wrote to memory of 3056	2692	CODEX17-NUKER.exe	35
PID 2692 wrote to memory of 2584	2692	CODEX17-NUKER.exe	37
PID 2692 wrote to memory of 2584	2692	CODEX17-NUKER.exe	37
PID 2692 wrote to memory of 2584	2692	CODEX17-NUKER.exe	37
PID 1632 wrote to memory of 996	1632	Anti Spyware core service.exe	38
PID 1632 wrote to memory of 996	1632	Anti Spyware core service.exe	38
PID 1632 wrote to memory of 996	1632	Anti Spyware core service.exe	38
PID 1632 wrote to memory of 956	1632	Anti Spyware core service.exe	40
PID 1632 wrote to memory of 956	1632	Anti Spyware core service.exe	40
PID 1632 wrote to memory of 956	1632	Anti Spyware core service.exe	40
PID 996 wrote to memory of 2844	996	cmd.exe	42
PID 996 wrote to memory of 2844	996	cmd.exe	42
PID 996 wrote to memory of 2844	996	cmd.exe	42
PID 956 wrote to memory of 2740	956	cmd.exe	43
PID 956 wrote to memory of 2740	956	cmd.exe	43
PID 956 wrote to memory of 2740	956	cmd.exe	43
PID 2572 wrote to memory of 2400	2572	CODEX17-NUKER.exe	44
PID 2572 wrote to memory of 2400	2572	CODEX17-NUKER.exe	44
PID 2572 wrote to memory of 2400	2572	CODEX17-NUKER.exe	44
PID 2572 wrote to memory of 1876	2572	CODEX17-NUKER.exe	45
PID 2572 wrote to memory of 1876	2572	CODEX17-NUKER.exe	45
PID 2572 wrote to memory of 1876	2572	CODEX17-NUKER.exe	45
PID 956 wrote to memory of 2292	956	cmd.exe	47
PID 956 wrote to memory of 2292	956	cmd.exe	47
PID 956 wrote to memory of 2292	956	cmd.exe	47
PID 2572 wrote to memory of 548	2572	CODEX17-NUKER.exe	48
PID 2572 wrote to memory of 548	2572	CODEX17-NUKER.exe	48
PID 2572 wrote to memory of 548	2572	CODEX17-NUKER.exe	48
PID 2572 wrote to memory of 1040	2572	CODEX17-NUKER.exe	49
PID 2572 wrote to memory of 1040	2572	CODEX17-NUKER.exe	49
PID 2572 wrote to memory of 1040	2572	CODEX17-NUKER.exe	49
PID 2572 wrote to memory of 2488	2572	CODEX17-NUKER.exe	51
PID 2572 wrote to memory of 2488	2572	CODEX17-NUKER.exe	51
PID 2572 wrote to memory of 2488	2572	CODEX17-NUKER.exe	51
PID 2584 wrote to memory of 1528	2584	Microsoft update.exe	52
PID 2584 wrote to memory of 1528	2584	Microsoft update.exe	52
PID 2584 wrote to memory of 1528	2584	Microsoft update.exe	52
PID 2584 wrote to memory of 1268	2584	Microsoft update.exe	54
PID 2584 wrote to memory of 1268	2584	Microsoft update.exe	54
PID 2584 wrote to memory of 1268	2584	Microsoft update.exe	54
PID 2584 wrote to memory of 2308	2584	Microsoft update.exe	56
PID 2584 wrote to memory of 2308	2584	Microsoft update.exe	56
PID 2584 wrote to memory of 2308	2584	Microsoft update.exe	56
PID 2584 wrote to memory of 1732	2584	Microsoft update.exe	58
PID 2584 wrote to memory of 1732	2584	Microsoft update.exe	58
PID 2584 wrote to memory of 1732	2584	Microsoft update.exe	58
PID 2584 wrote to memory of 2744	2584	Microsoft update.exe	60
PID 2584 wrote to memory of 2744	2584	Microsoft update.exe	60
PID 2584 wrote to memory of 2744	2584	Microsoft update.exe	60
PID 2400 wrote to memory of 2588	2400	CODEX17-NUKER.exe	62
PID 2400 wrote to memory of 2588	2400	CODEX17-NUKER.exe	62
PID 2400 wrote to memory of 2588	2400	CODEX17-NUKER.exe	62
PID 2400 wrote to memory of 2752	2400	CODEX17-NUKER.exe	63

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
"C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
  "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
  2⤵
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2572
- - C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
    "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
    3⤵
    - Adds Run key to start application
    - Drops file in System32 directory
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2400
  - - C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
      "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
      4⤵
      Drops file in System32 directory
      Suspicious use of AdjustPrivilegeToken
      PID:2588
    - - C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        5⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1876
      - C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        6⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        7⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2788
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        8⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        9⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1572
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        10⤵
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:1648
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        11⤵
        Adds Run key to start application
        Suspicious use of AdjustPrivilegeToken
        
        PID:2244
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        12⤵
        Drops file in System32 directory
        Suspicious use of AdjustPrivilegeToken
        
        PID:3012
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        13⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        14⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1048
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        15⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        16⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1716
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        17⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:3008
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        18⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2496
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        19⤵
        Adds Run key to start application
        
        PID:2532
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        20⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2368
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        21⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2816
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        22⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2432
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        23⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        24⤵
        Adds Run key to start application
        
        PID:1984
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        25⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2296
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        26⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:592
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        27⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1552
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        28⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2648
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        29⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2988
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        30⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1740
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        31⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        32⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1828
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        33⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:852
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        34⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1604
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        35⤵
        Drops file in System32 directory
        
        PID:2488
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        36⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        37⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1948
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        38⤵
        Adds Run key to start application
        
        PID:1356
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        39⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1268
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        40⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1644
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        41⤵
        Adds Run key to start application
        
        PID:2104
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        42⤵
        Adds Run key to start application
        
        PID:2868
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        43⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2428
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        44⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:956
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        45⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:2736
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        46⤵
        Adds Run key to start application
        Drops file in System32 directory
        
        PID:1100
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        47⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe
        
        "C:\Users\Admin\AppData\Local\Temp\CODEX17-NUKER.exe"
        48⤵
        
        PID:2504
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        48⤵
        
        PID:1796
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        47⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2340
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        47⤵
        
        PID:2632
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        48⤵
        
        PID:2112
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1596
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD115.tmp.bat""
        48⤵
        
        PID:1756
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        49⤵
        Delays execution with timeout.exe
        
        PID:1540
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        49⤵
        
        PID:2168
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        47⤵
        
        PID:2400
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        47⤵
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        46⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1572
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        46⤵
        
        PID:1968
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        47⤵
        
        PID:1952
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        48⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2348
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBBC1.tmp.bat""
        47⤵
        
        PID:2312
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        48⤵
        Delays execution with timeout.exe
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        48⤵
        
        PID:2116
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        46⤵
        
        PID:2392
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        46⤵
        
        PID:2084
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        45⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2080
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        45⤵
        
        PID:2592
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        46⤵
        
        PID:1156
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        47⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1616
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpA65D.tmp.bat""
        46⤵
        
        PID:968
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        47⤵
        Delays execution with timeout.exe
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        47⤵
        
        PID:1052
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        45⤵
        
        PID:1612
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        45⤵
        
        PID:1056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2068
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        44⤵
        
        PID:1540
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        45⤵
        
        PID:912
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        46⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2572
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9195.tmp.bat""
        45⤵
        
        PID:560
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        46⤵
        Delays execution with timeout.exe
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        46⤵
        
        PID:2728
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        44⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2404
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        44⤵
        
        PID:2800
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        43⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1876
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        43⤵
        
        PID:2160
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        44⤵
        
        PID:2324
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2332
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7C70.tmp.bat""
        44⤵
        
        PID:2260
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        45⤵
        Delays execution with timeout.exe
        
        PID:2904
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        45⤵
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        43⤵
        
        PID:1632
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        43⤵
        
        PID:3044
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1648
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        42⤵
        
        PID:2196
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        42⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2256
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        42⤵
        
        PID:1748
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        41⤵
        
        PID:1552
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        41⤵
        
        PID:2872
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        42⤵
        
        PID:1676
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        43⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1804
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5419.tmp.bat""
        42⤵
        
        PID:2540
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        43⤵
        Delays execution with timeout.exe
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        43⤵
        
        PID:2860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        41⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1360
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        41⤵
        
        PID:1524
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        40⤵
        
        PID:2780
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        40⤵
        
        PID:1132
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        40⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2928
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        40⤵
        
        PID:1492
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        39⤵
        
        PID:2308
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        39⤵
        
        PID:1824
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        40⤵
        
        PID:1384
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        41⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1996
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp29CE.tmp.bat""
        40⤵
        
        PID:2092
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        41⤵
        Delays execution with timeout.exe
        
        PID:580
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        41⤵
        
        PID:1104
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        39⤵
        
        PID:2264
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        39⤵
        
        PID:632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        38⤵
        
        PID:2900
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        38⤵
        
        PID:2072
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        39⤵
        
        PID:3008
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        40⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2604
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp140D.tmp.bat""
        39⤵
        
        PID:2968
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        40⤵
        Delays execution with timeout.exe
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        40⤵
        
        PID:1296
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        38⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2704
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        38⤵
        
        PID:2176
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        37⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2096
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        37⤵
        
        PID:1292
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        38⤵
        
        PID:2816
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        39⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpFF17.tmp.bat""
        38⤵
        
        PID:984
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        39⤵
        Delays execution with timeout.exe
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        39⤵
        
        PID:1860
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        37⤵
        
        PID:572
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        37⤵
        
        PID:2148
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:940
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        36⤵
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        37⤵
        
        PID:1248
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        38⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2276
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpEA30.tmp.bat""
        37⤵
        
        PID:1536
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        38⤵
        Delays execution with timeout.exe
        
        PID:1812
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        38⤵
        
        PID:1816
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        36⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2168
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        36⤵
        
        PID:1752
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        35⤵
        
        PID:3028
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        35⤵
        
        PID:2700
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        36⤵
        
        PID:1576
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        37⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2788
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD46F.tmp.bat""
        36⤵
        
        PID:2684
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        37⤵
        Delays execution with timeout.exe
        
        PID:1696
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        37⤵
        
        PID:912
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        35⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1844
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        35⤵
        
        PID:2812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2864
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        34⤵
        
        PID:1740
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        35⤵
        
        PID:1608
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        36⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2768
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpBEAE.tmp.bat""
        35⤵
        
        PID:2464
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        36⤵
        Delays execution with timeout.exe
        
        PID:2816
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        36⤵
        
        PID:2904
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        34⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:848
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        34⤵
        
        PID:2268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        33⤵
        
        PID:2300
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        33⤵
        
        PID:1536
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        34⤵
        
        PID:2748
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        35⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1876
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpAA72.tmp.bat""
        34⤵
        
        PID:1580
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        35⤵
        Delays execution with timeout.exe
        
        PID:1768
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        35⤵
        
        PID:3040
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        33⤵
        
        PID:2988
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        33⤵
        
        PID:276
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        32⤵
        
        PID:2940
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        33⤵
        
        PID:560
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        34⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9444.tmp.bat""
        33⤵
        
        PID:2808
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        34⤵
        Delays execution with timeout.exe
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        34⤵
        
        PID:1324
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        32⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3028
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        32⤵
        
        PID:1516
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:236
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        31⤵
        
        PID:2016
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        32⤵
        
        PID:2372
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp7F7C.tmp.bat""
        32⤵
        
        PID:956
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        33⤵
        Delays execution with timeout.exe
        
        PID:2304
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        33⤵
        
        PID:2124
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        31⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2624
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        31⤵
        
        PID:2568
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        30⤵
        
        PID:2872
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        30⤵
        
        PID:576
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        31⤵
        
        PID:1460
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        32⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2168
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6AA5.tmp.bat""
        31⤵
        
        PID:2144
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        32⤵
        Delays execution with timeout.exe
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        32⤵
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        30⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:592
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        30⤵
        
        PID:1268
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2312
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        29⤵
        
        PID:2296
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        30⤵
        
        PID:2720
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        31⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1256
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5513.tmp.bat""
        30⤵
        
        PID:2804
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        31⤵
        Delays execution with timeout.exe
        
        PID:2976
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        31⤵
        
        PID:1704
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        29⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3000
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        29⤵
        
        PID:2396
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2944
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        28⤵
        
        PID:2400
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        29⤵
        
        PID:800
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        30⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1756
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp40F7.tmp.bat""
        29⤵
        
        PID:956
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        30⤵
        Delays execution with timeout.exe
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        30⤵
        
        PID:1632
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        28⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1768
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        28⤵
        
        PID:1564
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1968
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        27⤵
        
        PID:3008
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        28⤵
        
        PID:2004
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2964
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp2B93.tmp.bat""
        28⤵
        
        PID:2604
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        29⤵
        Delays execution with timeout.exe
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        29⤵
        
        PID:2192
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        27⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2320
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        27⤵
        
        PID:720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        26⤵
        
        PID:1980
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        26⤵
        
        PID:2588
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        27⤵
        
        PID:2856
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        28⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp15D2.tmp.bat""
        27⤵
        
        PID:2488
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        28⤵
        Delays execution with timeout.exe
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        28⤵
        
        PID:2112
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        26⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2304
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        26⤵
        
        PID:2264
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2092
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        25⤵
        Executes dropped EXE
        
        PID:1836
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        25⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2496
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        25⤵
        Executes dropped EXE
        
        PID:2764
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2288
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        24⤵
        Executes dropped EXE
        
        PID:800
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        25⤵
        
        PID:1720
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        26⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpED5B.tmp.bat""
        25⤵
        
        PID:2120
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        26⤵
        Delays execution with timeout.exe
        
        PID:2772
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        26⤵
        Executes dropped EXE
        
        PID:1000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        24⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2808
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        24⤵
        Executes dropped EXE
        
        PID:608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        23⤵
        
        PID:1636
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        23⤵
        Executes dropped EXE
        
        PID:1508
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        24⤵
        
        PID:2684
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        25⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:884
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.bat""
        24⤵
        
        PID:2112
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        25⤵
        Delays execution with timeout.exe
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        25⤵
        Executes dropped EXE
        
        PID:1612
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        23⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2516
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        23⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2212
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        22⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        22⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:3004
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        22⤵
        Executes dropped EXE
        
        PID:984
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2912
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        21⤵
        Executes dropped EXE
        
        PID:2716
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        22⤵
        
        PID:1248
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        23⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2004
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpADEB.tmp.bat""
        22⤵
        
        PID:936
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        23⤵
        Delays execution with timeout.exe
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        23⤵
        Executes dropped EXE
        
        PID:592
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        21⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2704
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        21⤵
        Executes dropped EXE
        
        PID:1876
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1980
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        20⤵
        Executes dropped EXE
        
        PID:1096
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        21⤵
        
        PID:3032
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2564
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.bat""
        21⤵
        
        PID:1748
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        22⤵
        Delays execution with timeout.exe
        
        PID:2352
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        22⤵
        Executes dropped EXE
        
        PID:2900
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        20⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2124
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        20⤵
        Executes dropped EXE
        
        PID:720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        19⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:236
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        19⤵
        Executes dropped EXE
        
        PID:924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        19⤵
        
        PID:1132
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        19⤵
        Executes dropped EXE
        
        PID:2924
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2288
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        18⤵
        Executes dropped EXE
        
        PID:1152
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        19⤵
        
        PID:2348
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2200
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp705F.tmp.bat""
        19⤵
        
        PID:2928
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        20⤵
        Delays execution with timeout.exe
        
        PID:1616
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        20⤵
        Executes dropped EXE
        
        PID:2724
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        18⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2752
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        18⤵
        Executes dropped EXE
        
        PID:2120
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:860
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        17⤵
        Executes dropped EXE
        
        PID:1924
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        18⤵
        
        PID:2904
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2812
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp5ACD.tmp.bat""
        18⤵
        
        PID:2964
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        19⤵
        Delays execution with timeout.exe
        
        PID:2560
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        19⤵
        
        PID:576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        17⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1688
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        17⤵
        Executes dropped EXE
        
        PID:1572
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2864
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        16⤵
        Executes dropped EXE
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        17⤵
        
        PID:1804
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2068
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat""
        17⤵
        
        PID:2148
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        18⤵
        Delays execution with timeout.exe
        
        PID:1736
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        18⤵
        Executes dropped EXE
        
        PID:1364
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        16⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1656
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        16⤵
        Executes dropped EXE
        
        PID:1812
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:2104
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        15⤵
        Executes dropped EXE
        
        PID:2944
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        15⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1316
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        15⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        14⤵
        
        PID:2032
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        14⤵
        Executes dropped EXE
        
        PID:2336
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        15⤵
        
        PID:2564
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3052
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp1E88.tmp.bat""
        15⤵
        
        PID:1620
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        16⤵
        Delays execution with timeout.exe
        
        PID:552
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        16⤵
        Executes dropped EXE
        
        PID:940
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        14⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1976
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        14⤵
        Executes dropped EXE
        
        PID:576
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        13⤵
        
        PID:2984
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        13⤵
        Executes dropped EXE
        
        PID:2356
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        14⤵
        
        PID:1000
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2312
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp9B1.tmp.bat""
        14⤵
        
        PID:1540
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        15⤵
        Delays execution with timeout.exe
        
        PID:1156
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        15⤵
        Executes dropped EXE
        
        PID:2624
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        13⤵
        Command and Scripting Interpreter: PowerShell
        
        PID:1656
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        13⤵
        Executes dropped EXE
        
        PID:1644
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        12⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2964
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        12⤵
        Executes dropped EXE
        
        PID:580
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        13⤵
        
        PID:2348
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1704
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpF576.tmp.bat""
        13⤵
        
        PID:592
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        14⤵
        Delays execution with timeout.exe
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        14⤵
        Executes dropped EXE
        
        PID:1348
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        12⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1268
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2908
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        11⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1868
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        12⤵
        
        PID:2428
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1688
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpE09F.tmp.bat""
        12⤵
        
        PID:1792
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        13⤵
        Delays execution with timeout.exe
        
        PID:3068
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        13⤵
        Executes dropped EXE
        
        PID:2056
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        11⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2768
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1548
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        10⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2896
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:904
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        11⤵
        
        PID:1352
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1772
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpCADD.tmp.bat""
        11⤵
        
        PID:2848
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        12⤵
        Delays execution with timeout.exe
        
        PID:1264
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        12⤵
        Executes dropped EXE
        
        PID:2000
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        10⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3016
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:720
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:1044
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:900
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        10⤵
        
        PID:1860
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1944
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpB5B8.tmp.bat""
        10⤵
        
        PID:2908
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        11⤵
        Delays execution with timeout.exe
        
        PID:2064
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        11⤵
        Executes dropped EXE
        
        PID:2016
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        9⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:3068
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1844
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        8⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:2412
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        8⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2212
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1608
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        7⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2016
        
        C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        8⤵
        
        PID:1352
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1652
        
        C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp8DAF.tmp.bat""
        8⤵
        
        PID:1264
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        9⤵
        Delays execution with timeout.exe
        
        PID:1772
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:484
        
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        7⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:668
        
        C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2848
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:888
      - C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:1860
      - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        6⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1460
      - C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:580
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
        5⤵
        Command and Scripting Interpreter: PowerShell
        Suspicious use of AdjustPrivilegeToken
        
        PID:844
    - - C:\Windows\System32\Anti Spyware core service.exe
        
        "C:\Windows\System32\Anti Spyware core service.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:788
      - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        6⤵
        
        PID:1612
        
        C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2636
      - C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp6845.tmp.bat""
        6⤵
        
        PID:984
        
        C:\Windows\system32\timeout.exe
        
        timeout 3
        7⤵
        Delays execution with timeout.exe
        
        PID:2036
        
        C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2064
    - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
        5⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1308
    - - C:\Windows\System32\Microsoft update.exe
        
        "C:\Windows\System32\Microsoft update.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of AdjustPrivilegeToken
        
        PID:2284
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2752
  - - C:\Windows\System32\Anti Spyware core service.exe
      "C:\Windows\System32\Anti Spyware core service.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2044
    - - C:\Windows\System32\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
        5⤵
        
        PID:592
      - C:\Windows\system32\schtasks.exe
        
        schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2300
    - - C:\Windows\System32\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp53DA.tmp.bat""
        5⤵
        
        PID:2864
      - C:\Windows\system32\timeout.exe
        
        timeout 3
        6⤵
        Delays execution with timeout.exe
        
        PID:2476
      - C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
        
        "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
        6⤵
        Executes dropped EXE
        
        PID:2112
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2892
  - - C:\Windows\System32\Microsoft update.exe
      "C:\Windows\System32\Microsoft update.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:2944
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1876
- - C:\Windows\System32\Anti Spyware core service.exe
    "C:\Windows\System32\Anti Spyware core service.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:548
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1040
- - C:\Windows\System32\Microsoft update.exe
    "C:\Windows\System32\Microsoft update.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    PID:2488
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Anti Spyware core service.exe'
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2684
- C:\Windows\System32\Anti Spyware core service.exe
  "C:\Windows\System32\Anti Spyware core service.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1632
- - C:\Windows\System32\cmd.exe
    "C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"' & exit
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:996
  - - C:\Windows\system32\schtasks.exe
      schtasks /create /f /sc onlogon /rl highest /tn "Anti Spyware core service" /tr '"C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"'
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:2844
- - C:\Windows\System32\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp27AC.tmp.bat""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:956
  - - C:\Windows\system32\timeout.exe
      timeout 3
      4⤵
      Delays execution with timeout.exe
      PID:2740
  - - C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe
      "C:\Users\Admin\AppData\Roaming\Anti Spyware core service.exe"
      4⤵
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2292
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3056
- C:\Windows\System32\Microsoft update.exe
  "C:\Windows\System32\Microsoft update.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Adds Run key to start application
  - Suspicious behavior: AddClipboardFormatListener
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Windows\System32\Microsoft update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1528
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft update.exe'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1268
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\Microsoft update'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2308
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Microsoft update'
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1732
- - C:\Windows\System32\schtasks.exe
    "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "Microsoft update" /tr "C:\Users\Admin\AppData\Roaming\Microsoft update"
    3⤵
    - Scheduled Task/Job: Scheduled Task
    PID:2744

C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /4
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2692

C:\Windows\system32\taskeng.exe
taskeng.exe {9C576B9F-9191-4C8E-A5A2-6C691F53EFEE} S-1-5-21-2872745919-2748461613-2989606286-1000:CCJBVTGQ\Admin:Interactive:[1]
1⤵
PID:2600

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmp140D.tmp.bat

Filesize
169B

MD5
297a5602bc5c57bd96cc1e2ee34c5b05

SHA1
a1b5442605c0b2edf0357ff447d2676482d647cc

SHA256
c8f0356b3ed37e420ae3b795bf04427ab39676e4c90c1bee4f0bd9a19a6f4c8b

SHA512
01121bbca5cad8fcc176b29bbae660bca7901401ec17dfc3a2dbffeea32c548ba7a1ae0132dae73fb943d4b7d866553e2be5f9d47b586053c9f891b7aeee5ce6

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp15D2.tmp.bat

Filesize
169B

MD5
1e00f21dec49b054fbb0115b7f1cea9a

SHA1
f88cd3d4f45f58f85287a9c0688e6d1cf8719570

SHA256
6f2f41cfdd3053a21e09cae5d90dc63d4e3326647a96d9cc95ac8e82d4d0af48

SHA512
fb5b7ac6c49043bbb185c5789df5cca02a5c34a67185825fdf02136ab70a66fe5923d34041eddebcfae8d72d6fae1be03f21282e021410a51b1d90484ba786a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp1E88.tmp.bat

Filesize
169B

MD5
9e4ef1352d3bf6340684951a9104e56a

SHA1
402091d92c8308b7fd670e434053a601892170c1

SHA256
bfa9f464621d629e3ada1172e505bb4e3530f6ca02ee089e300c30408f8707be

SHA512
1b33ce319b2763e7e1c6e4cb4c67a2014f7cefd8fead49fd9ad5aac8218e7d5035320b719618c43acb6ae724c45fa010989f3ed8f8753d66031eea24eee6b6df

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp27AC.tmp.bat

Filesize
169B

MD5
8316bf820f3d637f8f5f6dc9502d2492

SHA1
7a77c8c7823f0b43e9c00d612179431669e5dc83

SHA256
e64e65f6479d55f1617c06fc537c10c94258f410cb0a6b90f0ed8282f9ef141f

SHA512
2dd11c81f7f4f626f14064d19b15027c4815048061811a8bba8f001b198d55585d74b037feb3ed1e65033b6757bfa94c039cd51115b64e758c53469c99c57607

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp29CE.tmp.bat

Filesize
169B

MD5
bb475af18db0d8fe507c6bfe3cd8d5c3

SHA1
025c6b9f8c2a5a11513d30abc3715cc6065f71bd

SHA256
8bf1a96fd32c82d08365be6b733f3c67a5c018ff9645364749409517f3b53967

SHA512
2ca4b8a8c304cdf5864bf0fcc6a586a65e71ff39c4e41e35e0498fe854469b705aff4134f776386cdd06aca889e508b127e3dc09ab7884cd515caf582d4b7f39

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp2B93.tmp.bat

Filesize
169B

MD5
72afd12be24bc3fd9511c725aabac222

SHA1
bbfc33b465a2e20ef638e41fe568a821b7667066

SHA256
6e32dcf0cdd8d43a69078641d0bd472073378fb0b720bf20f8205c371bdf930e

SHA512
13a470f0d172be60cfeb13d38648a9a68ccd34abcc81b90145b0641610d0adb8bab5a43da339789824db12e93842a12895b5e23dd7fa51d79ab026dbcdade8b5

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp40F7.tmp.bat

Filesize
169B

MD5
97d941d4a7fc840df8b50b1f41bd0230

SHA1
077a8a19702efddb23d60a32ab372e37c2ea8a78

SHA256
f5106a8927c6382bb9ce5cd1fbfb94a86203c8f77ecfbdccad911d90fa3ea51e

SHA512
a0a3444f0a605d9d0996fcff32bb5602cfbf2cf8595492c808b760e13924957e794fc17a52d769a84f086fd2fb172dcf20b7ad4d6131449491f0be4edf7dfb42

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp4588.tmp.bat

Filesize
169B

MD5
9c429ae8def0b6a97f981ffddfb4aa59

SHA1
9a33ede245046b8174d8a3f1414257b5dc8c1c18

SHA256
7f625dfc550d08a91fccdd5f0ac9673780853215617165474c541e6dde8fd432

SHA512
d3c4d969cce43cf0d8d35f9be4209f22dd98ad3263e74ba4bcde51633a5222b193b40835f57cb5102b72ddccfb1bfb8bc424f51cf1274a635c7f1cfd795d54f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp53DA.tmp.bat

Filesize
169B

MD5
860830f4299ddd20d380d80933e3c163

SHA1
6bd1013b21775811f1631ff62785c218ee6ed8b1

SHA256
a9e0b5741d2370f6df79397d6b1d10c76cb582a9cf379e3aadb497a55e70a7fb

SHA512
e9ca1af647fa34bf675435e8b33bef409d0b8467565ecaf3e747dad95e617f16c9f2d19816be0a250cd37cc3979bc8eab2af12e5b58c24be7bf2988441c91c1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5419.tmp.bat

Filesize
169B

MD5
bb247129f545a85e2d80a3b6551bb6b7

SHA1
c56ca00cedc92f0f187ec12c3393908748977955

SHA256
b6410982b126dffb30a3397d77de73f3e6a73833386da24846d743cf2a66cb54

SHA512
4bb55e0801f7cb22bfef4d4e46a361317cba6ae03c5fd9e1e90c6083ad640cc9c7cb14bc7979f3e47a43ae4a469fb7da155395dbe448560dfefe13108c0a2821

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp5513.tmp.bat

Filesize
169B

MD5
0865a67a7c9fa6c3af08690e409415de

SHA1
e3bfdbddbf2b8bae5603b9f9bb5e40571a2b992f

SHA256
1b2732448579cbf0e20521ce572b139405d4c1ef9ca2c9a407c8c799a6b10b63

SHA512
9e35d6b5f711ad600592563e22850d06096a04fa9fa3d8c732d4d37e2d453adc51d49a8c026346c7ac5ca7a722a0cd23ecde9b3277d012c8cafcc2bc585075c2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6845.tmp.bat

Filesize
169B

MD5
1af488c72124664079fd30ad89e310b9

SHA1
91d5f10ba8b4637e317259c6eea7757309df3c0b

SHA256
166ad23c5f41ff3f09ff6803f4e7a030f94822c6cb329ee70389a0e8a7e2acf8

SHA512
379df744293750866187e5f08b0f0431176ec8c16823aa157739b521d23cd73304b4e9170032d505cb5d9cdd24aca1d30da733c7220a3c25eef1b7be7acbe364

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp6AA5.tmp.bat

Filesize
169B

MD5
cbee6c7003b22f954461606b3e1a402c

SHA1
c7b7258f33bf3cfe589da8dce41726d892b44613

SHA256
c7433f5339657037f9cb036143c56f3c5a3d55604a7966d4e010944df71502d2

SHA512
f450fd581d15b1dee3868fcb521b78a1b57f484a1be41b89e6b04e66c8986fa33497674c14764e7aabac8f3ab7ece7f31c055aef0f3d0c086b951aa415a8a04a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp705F.tmp.bat

Filesize
169B

MD5
1c0f9321faecf4a51bf4569ff9242538

SHA1
03f1d7fad3d41fec8d0b627324ff5d4f95d59d4a

SHA256
fe0cb9606c3b5a6390511bd3dd3aa8f6ef8f37bc1f3240e0a80d5cd17f3f2afb

SHA512
fcb5d3a3cbc9a1cceefc3a582775713a3b147e91441210bf759c04e10e788082d9336d3205cc6b9e68ad556d31c267c94b53ae69943c8616b7f7195cb1bb934a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7C70.tmp.bat

Filesize
169B

MD5
8ce5269e5768eb4898b8ec65a21cf847

SHA1
ad21a8380569ad8367913774f364ec070d3590dc

SHA256
1c7369afec38ceaed35a0a0579b63538235ff2b382b6b26da68d7ed9f0a0268f

SHA512
d754311a871a6161522e1bd0a6fffa130d092f7d5051c6972e78e0af36c0597492bd6471de12b74ca3e681db7ac3aa4c6bf100fdec2cafe03e1af8f9c7e90e61

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp7F7C.tmp.bat

Filesize
169B

MD5
e7a0e02a59a1a3be23c16fdb13a721ae

SHA1
5f4f677afa0ab83396796ebc738aa740b4a8b454

SHA256
0b828fcc4e7db3d8e304b7f4f88243e5b55be7bba2d500cc489e48f85889d8ed

SHA512
94d36642f2a647e1fb72ed228f047f53014f9496387b282ce5b6e860ded9f471f13742a615bc83b43ecb0099f41c20dd68c35fae60d67da29066f8ae8c4a23b8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp8DAF.tmp.bat

Filesize
169B

MD5
ac72492ce39b0b612268781a67ce3f8e

SHA1
31a64854a73df44328bce303191901d0abcf3972

SHA256
149e4b29c4a917b0a31f406b821e1a01ffb15e43ec2cb046626f95844f5d5f04

SHA512
3227610a345527ee6c3423ebea607e528dc56b0c697512e25551b7dbc42a11519c335f368450addafef2f5b8c4cfa7075484d437737d60b855e3a731bdb73055

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9195.tmp.bat

Filesize
169B

MD5
783f48a6f8878180c5c46e32ccf4f1f3

SHA1
f6e9d976d1e45ca9f0011ed5d9b78415129bf43a

SHA256
ed2e13aa2072fb74fc34370f5857c77fa38e6b6ef345ceb46e4bf0f2f5861996

SHA512
0c46e2c27cedf8fafb00a9ec2a8790d2d86eb856b54e7ad88ded30b8de530bb3263194136526af4c4a0f4054a953a0a57f89959eaad15543b9062be6bb739a98

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9444.tmp.bat

Filesize
169B

MD5
537d12c68cf082331cad36fff402c600

SHA1
5fad832bf06bc25c83133d03c67e842452ce80d1

SHA256
58cfd973db4177594f6647bea364b5d7f3da7ef71201a023c937b2f447d8be17

SHA512
0c1fd7c9b2c828b59967e0923018d97688828038a26689cf02efb649a099b5f13a2dc11f2083f2a3077f740d1f101d69474c7b91b5e90166362edd81a78b8ec4

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9869.tmp.bat

Filesize
169B

MD5
98cc8ace742afde78f5badd50a705bbb

SHA1
cc793f4c966bcefd9fd2bc57f0fbe30210cef986

SHA256
123d536666eadefe3971fb39b423ac62a34249aaabf1a65fa4714c670b46ea96

SHA512
00e6dfc1c29e2fa31928ca86b2ac6e5447c6a79996a8acf721d172a235d9d39cb143f5307164a8f3924324d16d5d4d90dd19c30487700b56808887364df7a283

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp9B1.tmp.bat

Filesize
168B

MD5
cc4d3b6c5187e222712c119cfa7f7dd9

SHA1
cb7b81cc854e146d2e3376c8cce48e7ed54666bd

SHA256
abc49cf95f71b82551a6c7e2d36d45a6a8fa43a432ca6eccf9f902bdb8366bd2

SHA512
34c10071e0c063707069c732b5cfc69078dc647ce6e0e83224b64ea2e11fd49466b0da8649d8520a6e42e6f95e5b65040ec2e5636998a3ec362f638b09a2ab1a

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpA65D.tmp.bat

Filesize
169B

MD5
47612f6bd8b66dfe0eecdb9052b53649

SHA1
a9c858498837430d920ae7e45724f78371e556d9

SHA256
7dee023d075652e6f5b32717ab28ae36feb8f003a2dbf4f2ab33f63ed9c321c5

SHA512
0c108ab091537cda6a071d96acbc1ab454e57eec542568713dccca85bbfe070c585cfe8af7dedaa73a35d00d92fe0bb9ef491b96763d5e9023459d2afa673ab9

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpAA72.tmp.bat

Filesize
169B

MD5
e72bae12a387b6f421118a2b666f2864

SHA1
4ace65ebd8d0f09175b7940db19b02602c48d06f

SHA256
c2080e40696524099920b532b82837f5961f109441cf11e2640a5c60240d9f3a

SHA512
7a799e3fb418e908ab7d022a45835397e5e9637ea82c2a25f6d82a47bcef895ec73a3c38f08deede721505165ac07cecdceeb46a365ac59a069039b891f5c070

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpADEB.tmp.bat

Filesize
169B

MD5
f690bcbe12cddc120ab616f2f8cb2f65

SHA1
d361949c7bbeffbcc159f345db8f84e1cced9828

SHA256
48598c8f530553fb5b8453252453d3ea7f24a2e8bfc5df6873ceb2a66cff34da

SHA512
bd4029dcf1de345a8fc3439db912611e5f397e9c944c4f999c9a185b30235876c697d2642a04260d0182e0d4a92f8f1558273675d0cf9d83ad0ab6bd1a32de0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpB5B8.tmp.bat

Filesize
169B

MD5
00d9b97807c04f9a36e627cefd7f826d

SHA1
4a91e02543ffe7f32544c7869dc795afd1694e65

SHA256
fb9db2cd7d908d963e633fa52a43ecbdf7b2b6844d7b743f80328179bf2b91d6

SHA512
bfa607a939f325e14c6e83432ec8a9988539c7e4c292643048bad77f55bd4df2c103f0346640c9ccd8c31d5268b46bf01c00e52a857d027372b30e6b9d7dcc34

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBBC1.tmp.bat

Filesize
169B

MD5
0730d82e97f1a18fb59fe96cd5b70ca3

SHA1
daf4d7ab106a15eb4eb0133948abcac0d6f0ec92

SHA256
1ba08cf93d0763850e17e637380d2c48f64451aff0f34c939cad126f229b3a2a

SHA512
477aa61278c92d3c4649adef2dd259b0e27ecfb41c292babd3d2fe9a7ab1ca5c92e79f9d1df7b06c1d5e32c6effa3624f0b0f83e3bb40c274907d9b9a116cec3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBEAE.tmp.bat

Filesize
169B

MD5
31ff29dfd757566105b89b91f833bfaf

SHA1
86b9721984f092270ce418cee4f1af45b9b0f530

SHA256
f51a84f354b373ae5609cf98ed14d07e8d49402f9996bce3663387c768d63096

SHA512
098ea192c8e5f02203ccc8ad252dc8fc31404f2e7d60fdcf59856934300056f206e37f56b0cbe101373524d75c4d895d6e0982000b310abf1e17281e7123451e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpCADD.tmp.bat

Filesize
169B

MD5
5c4985266fe2e7bb0360fed971bc22e5

SHA1
c4de6502a066320ec8135fea3d179d1dbe80122f

SHA256
5569fa72602c1bae72213a722b7cccda929250c31b50d94b426b05ab9c3d7a8b

SHA512
216b91b24cdfa57f558aa22a935a0d1d3745d2002f2f4403fee53e240abac21765b81fc98d99f5c0b0c765925689ee14d77694bfd15a4f53190ae4e1000f5787

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD115.tmp.bat

Filesize
169B

MD5
b15065b8221c22b3af86f251a535441d

SHA1
1a7f0c9598c1e16659cbab1534bd6a1d20a2d04b

SHA256
c51c099dcf93b34587fbe3ae6c14dd04a0b6f6b40732e37b927714d5eaac7198

SHA512
d29a2555f1161dd2971ee724e5cdb14a0d816158d94a4903071b773c94f80a1c381da2d52bfc369105a751c24b73d921fbee99ae7b76c01776431b655f155ba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD46F.tmp.bat

Filesize
169B

MD5
f45a86092b9f63d4569b848c778b65b9

SHA1
6d732522ce5eec26e99e4eec6bdb289da5085d2d

SHA256
cb7f5636344e6fc612a959eb2c95b262cbc49e99f5215940f1988945825a3ab6

SHA512
b954ea849f591ae25455591c840b9e001f1a4e788724b6df08c4e6c1e7ed4f60b881ab354fc29c50203a3d4f725626ebce967406f52e058a061a77430986421b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpD7D8.tmp.bat

Filesize
169B

MD5
e87f81908749678deb6dd6bcb62cdfaa

SHA1
20cdeba1b8e775b5701088120003231d23c86d61

SHA256
3f63d068fb52ebf8b8d2f0cef61b606b70624ecd50d1599f155d7b2a6c1bb1dc

SHA512
9593bd58ff5f81b4b479f01a284172bdc38bf60a80db4b97eb44f81c8c735addedb8ea3fb9f2fffb783bd5f6e7737b728dd1e30f45eda1e4fb2759deb35ebf1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpE09F.tmp.bat

Filesize
169B

MD5
d2be86565d4879c2220389d107dde9ee

SHA1
97911d4dfa687af1c2ac421d449d703827676d5b

SHA256
696268b4ca0c6e980e1ea2a426f68930f5a9c5c627dc5f146701c35a1938d4c0

SHA512
d818c2847cc8752ca61cc3ea8baa88951aeecd4182a800e7ef35ff0c53c6eecc746298b4c08d382ea3717643ba0ee0473ce255d996a17d24a021bfbb416b5d13

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpEA30.tmp.bat

Filesize
169B

MD5
752327ca17d1dde94ab9ddb36cff45f9

SHA1
a49e9924b67c10c0e4a717e983c5deb5823eed64

SHA256
579a511eb278e74021d12976e9bf06f9dadf61c4fddf15e5449684c6ea9b89ff

SHA512
bae6808b84419a1d13aadf269519250d4f05fe4390fe1fadc88abd3a3c3cc97386e2a8e6788438f9d5b1e77fa7be4c6c5d6b07e94c430e5731a1feab6b3c0eeb

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpED5B.tmp.bat

Filesize
169B

MD5
50eb6fde2ea5570b8b6fc0417bfc5196

SHA1
bb2ffbdb4e8fbe81c56f9735b38eba922b177e5d

SHA256
3bdba345b17c7eb506c3957f0ea79059a04575a5f3cd9bdec393f81719c47eb4

SHA512
61ebca68b62b8c9a675fb7b4a1f7910c2fb04d74eac587614e273d9ae8cbb894bffd641e185cbd9c10c5c84d411cbb551747037760cafbdcf4dbc9ee53534154

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpF576.tmp.bat

Filesize
169B

MD5
03e61d15f7554b6d04d2cdf798d4dc6f

SHA1
a9a06e220caa3dc8feffcedb8ae492226499e8e6

SHA256
0bd89e592235014c534e8a09bcbbd3620d537991d2f33ca794d697b2c8028b23

SHA512
b6d4460fa4ef726d21f03592e91fffd363fc06a93f68e1b74d7de8501fc55b727d145c2cab78463092ccbd6ca721bcaeeb68a15823e9875671c17262b8597ed2

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpFF17.tmp.bat

Filesize
169B

MD5
cf4144a3cf7764813bbdcb1b7cbd7fb4

SHA1
7be165a7d26ce670768b81fbe8c6b75d45ab1620

SHA256
bc0b6f52235cb4dfd6a7bee26e899d1c36adc694fed9d00c75ac47da75e48f6b

SHA512
7d0b7a37ce29f3ff4c9b72c2923f27e0e120327e3e78d4da2362f5968d935c46fc992aa03d9d9d10fa2be0401b78bb26ec4ad7c35fed58ac6d7d0e89777c6135

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
0c8893906895a0cf575c988ce7d3f05b

SHA1
722c0d6dd8cf69b63a869ca63472bd364f79c2d5

SHA256
af6e425ac02280a64701fc93b7657339243913b0284845c5b22cf87a89a1d347

SHA512
f3a8df70bf779e3c0f3b8ec56dbbe5227327c1dddbfe2080a4a0ab6e922575a6de10ca5743428629903fe5934bd86cdf316afe32b61de221adee00c3798b9a35

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\M22MNNBHJISJVCIR62I8.temp

Filesize
7KB

MD5
0fa0378bad7e1f9ee3d506ecf07e38b0

SHA1
35fcb2a20dbfea9fd43f3337e5624ad936a2f593

SHA256
160a63c7b8927124aedea562395b0b1fc76768d2c17a59b5752bb1c2b863c5f9

SHA512
0035b11d2a9ffbd548995e31051527d02fc59e0cc0c75e820a58b207d48ee61d63930764e67b962fb322f8eb193ae6de2e68d5266f3d26394abcba514cb0ca08

Download Submit
C:\Windows\System32\Anti Spyware core service.exe

Filesize
63KB

MD5
f5e9921f069554980e87a5654378cbd0

SHA1
021624ca621c42e17e8f66eba350a3f2ed7a9825

SHA256
04e6bf407e90b0b89caf860456cbfe10aedbc608e7e2f56648e96af98c034750

SHA512
2454aa98187bdb5c0078aa3d0e505e2f1cfbc88d88c1335585a58d6f3b0a8a909edb3a2b394201e39fce1ce0899fd1c95c91a80926bd799e90dae3517f7f1d14

Download Submit
C:\Windows\System32\Microsoft update.exe

Filesize
76KB

MD5
6d92420f3a9227f3fc2d8040c15712c2

SHA1
650fa88e357d0f4602134f1c9b884eaf60f82b98

SHA256
08e4a086bf5a4f773638a2bbc5da8963c5b6bf650a94a1ebd7a36513508b41bb

SHA512
0bff5ac7920848a3eb5b0cf6d66a0ba1393aa48be96b1d76dda99cd45724880835ae6dc4e44fc257a0101fc0ded308925aaf9c697d34d74e10bf98f334714341

Download Submit
memory/484-189-0x0000000000CC0000-0x0000000000CD6000-memory.dmp

Filesize
88KB

Download
memory/548-53-0x00000000002E0000-0x00000000002F6000-memory.dmp

Filesize
88KB

Download
memory/576-549-0x0000000000020000-0x0000000000036000-memory.dmp

Filesize
88KB

Download
memory/576-351-0x00000000009F0000-0x0000000000A06000-memory.dmp

Filesize
88KB

Download
memory/580-263-0x0000000000DD0000-0x0000000000DE6000-memory.dmp

Filesize
88KB

Download
memory/592-415-0x0000000000D60000-0x0000000000D76000-memory.dmp

Filesize
88KB

Download
memory/788-117-0x0000000000120000-0x0000000000136000-memory.dmp

Filesize
88KB

Download
memory/800-448-0x00000000009D0000-0x00000000009E6000-memory.dmp

Filesize
88KB

Download
memory/900-205-0x0000000001340000-0x0000000001356000-memory.dmp

Filesize
88KB

Download
memory/924-375-0x00000000012C0000-0x00000000012D6000-memory.dmp

Filesize
88KB

Download
memory/940-316-0x0000000000F20000-0x0000000000F36000-memory.dmp

Filesize
88KB

Download
memory/1000-462-0x00000000010C0000-0x00000000010D6000-memory.dmp

Filesize
88KB

Download
memory/1052-814-0x00000000008B0000-0x00000000008C6000-memory.dmp

Filesize
88KB

Download
memory/1104-726-0x0000000000FB0000-0x0000000000FC6000-memory.dmp

Filesize
88KB

Download
memory/1132-731-0x00000000000E0000-0x00000000000F6000-memory.dmp

Filesize
88KB

Download
memory/1152-356-0x0000000000160000-0x0000000000176000-memory.dmp

Filesize
88KB

Download
memory/1292-676-0x00000000011C0000-0x00000000011D6000-memory.dmp

Filesize
88KB

Download
memory/1296-708-0x00000000013E0000-0x00000000013F6000-memory.dmp

Filesize
88KB

Download
memory/1324-598-0x0000000000A80000-0x0000000000A96000-memory.dmp

Filesize
88KB

Download
memory/1348-277-0x0000000000FC0000-0x0000000000FD6000-memory.dmp

Filesize
88KB

Download
memory/1364-342-0x0000000000C20000-0x0000000000C36000-memory.dmp

Filesize
88KB

Download
memory/1508-429-0x0000000000040000-0x0000000000056000-memory.dmp

Filesize
88KB

Download
memory/1536-603-0x0000000000390000-0x00000000003A6000-memory.dmp

Filesize
88KB

Download
memory/1612-443-0x0000000000AF0000-0x0000000000B06000-memory.dmp

Filesize
88KB

Download
memory/1632-526-0x00000000011B0000-0x00000000011C6000-memory.dmp

Filesize
88KB

Download
memory/1632-16-0x0000000000F90000-0x0000000000FA6000-memory.dmp

Filesize
88KB

Download
memory/1704-544-0x0000000000A90000-0x0000000000AA6000-memory.dmp

Filesize
88KB

Download
memory/1740-622-0x0000000000EE0000-0x0000000000EF6000-memory.dmp

Filesize
88KB

Download
memory/1816-671-0x0000000001170000-0x0000000001186000-memory.dmp

Filesize
88KB

Download
memory/1860-690-0x0000000000AB0000-0x0000000000AC6000-memory.dmp

Filesize
88KB

Download
memory/1860-149-0x0000000000260000-0x0000000000276000-memory.dmp

Filesize
88KB

Download
memory/1868-244-0x0000000000220000-0x0000000000236000-memory.dmp

Filesize
88KB

Download
memory/1876-49-0x0000000002910000-0x0000000002918000-memory.dmp

Filesize
32KB

Download
memory/2000-239-0x0000000000CE0000-0x0000000000CF6000-memory.dmp

Filesize
88KB

Download
memory/2016-221-0x0000000000050000-0x0000000000066000-memory.dmp

Filesize
88KB

Download
memory/2044-92-0x0000000000ED0000-0x0000000000EE6000-memory.dmp

Filesize
88KB

Download
memory/2056-258-0x0000000000B40000-0x0000000000B56000-memory.dmp

Filesize
88KB

Download
memory/2064-147-0x0000000000930000-0x0000000000946000-memory.dmp

Filesize
88KB

Download
memory/2112-127-0x0000000001080000-0x0000000001096000-memory.dmp

Filesize
88KB

Download
memory/2112-489-0x0000000000F00000-0x0000000000F16000-memory.dmp

Filesize
88KB

Download
memory/2160-765-0x0000000001360000-0x0000000001376000-memory.dmp

Filesize
88KB

Download
memory/2168-849-0x0000000000840000-0x0000000000856000-memory.dmp

Filesize
88KB

Download
memory/2192-508-0x0000000001320000-0x0000000001336000-memory.dmp

Filesize
88KB

Download
memory/2292-51-0x00000000008E0000-0x00000000008F6000-memory.dmp

Filesize
88KB

Download
memory/2336-302-0x00000000012D0000-0x00000000012E6000-memory.dmp

Filesize
88KB

Download
memory/2356-282-0x0000000000230000-0x0000000000246000-memory.dmp

Filesize
88KB

Download
memory/2372-420-0x0000000001330000-0x0000000001346000-memory.dmp

Filesize
88KB

Download
memory/2572-60-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2572-3-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2584-30-0x0000000000FD0000-0x0000000000FEA000-memory.dmp

Filesize
104KB

Download
memory/2588-475-0x0000000000D40000-0x0000000000D56000-memory.dmp

Filesize
88KB

Download
memory/2624-297-0x0000000000810000-0x0000000000826000-memory.dmp

Filesize
88KB

Download
memory/2684-8-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2684-9-0x0000000002820000-0x0000000002828000-memory.dmp

Filesize
32KB

Download
memory/2692-99-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-100-0x0000000140000000-0x00000001405E8000-memory.dmp

Filesize
5.9MB

Download
memory/2692-0-0x000007FEF5C53000-0x000007FEF5C54000-memory.dmp

Filesize
4KB

Download
memory/2692-31-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2692-1-0x0000000000FA0000-0x00000000019DC000-memory.dmp

Filesize
10.2MB

Download
memory/2692-2-0x000007FEF5C50000-0x000007FEF663C000-memory.dmp

Filesize
9.9MB

Download
memory/2724-370-0x0000000000AE0000-0x0000000000AF6000-memory.dmp

Filesize
88KB

Download
memory/2724-779-0x0000000001160000-0x0000000001176000-memory.dmp

Filesize
88KB

Download
memory/2844-163-0x0000000000E10000-0x0000000000E26000-memory.dmp

Filesize
88KB

Download
memory/2900-397-0x00000000001C0000-0x00000000001D6000-memory.dmp

Filesize
88KB

Download
memory/2904-636-0x0000000000800000-0x0000000000816000-memory.dmp

Filesize
88KB

Download
memory/2944-563-0x00000000013C0000-0x00000000013D6000-memory.dmp

Filesize
88KB

Download
memory/3008-494-0x0000000000D90000-0x0000000000DA6000-memory.dmp

Filesize
88KB

Download
memory/3040-617-0x0000000000830000-0x0000000000846000-memory.dmp

Filesize
88KB

Download
memory/3056-22-0x000000001B560000-0x000000001B842000-memory.dmp

Filesize
2.9MB

Download
memory/3056-23-0x0000000001E20000-0x0000000001E28000-memory.dmp

Filesize
32KB

Download