netwire | 1b6d07883242bc16fa0f2ecdbb7fd6abae89f244f66c1a32d9fd8b3f3c3d3661

Analysis

max time kernel
150s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
15-05-2024 22:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe
Size

831KB
MD5

484014cfcb70a39296ca04415f71a750
SHA1

f6437e2a1834dd687316821df0dca7c3e523f36b
SHA256

1b6d07883242bc16fa0f2ecdbb7fd6abae89f244f66c1a32d9fd8b3f3c3d3661
SHA512

0fa2e906065e2731e12c1880c2b321d3082f6157eefc2f138f4907389b8d9b789505a83d9a204152139b9283ea6328e8e83c254ec8379eb024649aee0c7d4302
SSDEEP

12288:OYk+mQo8BdbrQ0Fl92VT7twWQldCMoAODEcl3/8fuboF5Q:OY5mstrfb+7tBqsMwEclPegoF5

Score

10^/10

netwire botnet rat stealer upx

Malware Config

Extracted

Family

netwire

185.140.53.212:3380

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
HostId-Qgo6E0
keylogger_dir
C:\Users\Admin\AppData\Roaming\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral2/memory/1456-14-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/1456-11-0x0000000000400000-0x0000000000423000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/1456-6-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1456-14-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1456-10-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/1456-11-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\.Identifier	svchost.exe
File opened for modification	C:\Windows\SysWOW64\.Identifier	svchost.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 228 set thread context of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97

Creates scheduled task(s) 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
3500	schtasks.exe
2212	schtasks.exe
3652	schtasks.exe
1340	schtasks.exe
1104	schtasks.exe
1080	schtasks.exe
884	schtasks.exe
1144	schtasks.exe
4280	schtasks.exe
1276	schtasks.exe
3500	schtasks.exe
3528	schtasks.exe
2264	schtasks.exe
4184	schtasks.exe
2152	schtasks.exe
2244	schtasks.exe
3548	schtasks.exe
5104	schtasks.exe
2824	schtasks.exe
3440	schtasks.exe
1104	schtasks.exe
2040	schtasks.exe
4424	schtasks.exe
372	schtasks.exe
4964	schtasks.exe
2680	schtasks.exe
2592	schtasks.exe
2968	schtasks.exe
4792	schtasks.exe
3164	schtasks.exe
3652	schtasks.exe
1696	schtasks.exe
2848	schtasks.exe
2388	schtasks.exe
3472	schtasks.exe
3500	schtasks.exe
4720	schtasks.exe
3164	schtasks.exe
4848	schtasks.exe
2192	schtasks.exe
4336	schtasks.exe
1780	schtasks.exe
4884	schtasks.exe
4556	schtasks.exe
5020	schtasks.exe
4820	schtasks.exe
4184	schtasks.exe
5088	schtasks.exe
672	schtasks.exe
4836	schtasks.exe
1092	schtasks.exe
1568	schtasks.exe
1224	schtasks.exe
3548	schtasks.exe
1988	schtasks.exe
5004	schtasks.exe
4184	schtasks.exe
1028	schtasks.exe
1180	schtasks.exe
760	schtasks.exe
344	schtasks.exe
2292	schtasks.exe
736	schtasks.exe
772	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe
228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 228 wrote to memory of 2040	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	90
PID 228 wrote to memory of 2040	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	90
PID 228 wrote to memory of 2040	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	90
PID 2040 wrote to memory of 4600	2040	cmd.exe	92
PID 2040 wrote to memory of 4600	2040	cmd.exe	92
PID 2040 wrote to memory of 4600	2040	cmd.exe	92
PID 228 wrote to memory of 4336	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	94
PID 228 wrote to memory of 4336	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	94
PID 228 wrote to memory of 4336	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	94
PID 4336 wrote to memory of 5088	4336	cmd.exe	96
PID 4336 wrote to memory of 5088	4336	cmd.exe	96
PID 4336 wrote to memory of 5088	4336	cmd.exe	96
PID 228 wrote to memory of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97
PID 228 wrote to memory of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97
PID 228 wrote to memory of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97
PID 228 wrote to memory of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97
PID 228 wrote to memory of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97
PID 228 wrote to memory of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97
PID 228 wrote to memory of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97
PID 228 wrote to memory of 1456	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	97
PID 228 wrote to memory of 1720	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	98
PID 228 wrote to memory of 1720	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	98
PID 228 wrote to memory of 1720	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	98
PID 1720 wrote to memory of 312	1720	cmd.exe	100
PID 1720 wrote to memory of 312	1720	cmd.exe	100
PID 1720 wrote to memory of 312	1720	cmd.exe	100
PID 228 wrote to memory of 2564	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	101
PID 228 wrote to memory of 2564	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	101
PID 228 wrote to memory of 2564	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	101
PID 2564 wrote to memory of 2848	2564	cmd.exe	103
PID 2564 wrote to memory of 2848	2564	cmd.exe	103
PID 2564 wrote to memory of 2848	2564	cmd.exe	103
PID 228 wrote to memory of 3444	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	111
PID 228 wrote to memory of 3444	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	111
PID 228 wrote to memory of 3444	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	111
PID 3444 wrote to memory of 1736	3444	cmd.exe	113
PID 3444 wrote to memory of 1736	3444	cmd.exe	113
PID 3444 wrote to memory of 1736	3444	cmd.exe	113
PID 228 wrote to memory of 4212	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	114
PID 228 wrote to memory of 4212	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	114
PID 228 wrote to memory of 4212	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	114
PID 4212 wrote to memory of 672	4212	cmd.exe	116
PID 4212 wrote to memory of 672	4212	cmd.exe	116
PID 4212 wrote to memory of 672	4212	cmd.exe	116
PID 228 wrote to memory of 5104	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	120
PID 228 wrote to memory of 5104	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	120
PID 228 wrote to memory of 5104	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	120
PID 5104 wrote to memory of 2972	5104	cmd.exe	122
PID 5104 wrote to memory of 2972	5104	cmd.exe	122
PID 5104 wrote to memory of 2972	5104	cmd.exe	122
PID 228 wrote to memory of 3360	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	123
PID 228 wrote to memory of 3360	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	123
PID 228 wrote to memory of 3360	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	123
PID 3360 wrote to memory of 1276	3360	cmd.exe	125
PID 3360 wrote to memory of 1276	3360	cmd.exe	125
PID 3360 wrote to memory of 1276	3360	cmd.exe	125
PID 228 wrote to memory of 1152	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	127
PID 228 wrote to memory of 1152	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	127
PID 228 wrote to memory of 1152	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	127
PID 1152 wrote to memory of 1196	1152	cmd.exe	129
PID 1152 wrote to memory of 1196	1152	cmd.exe	129
PID 1152 wrote to memory of 1196	1152	cmd.exe	129
PID 228 wrote to memory of 3684	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	130
PID 228 wrote to memory of 3684	228	484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe	130

C:\Users\Admin\AppData\Local\Temp\484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4600
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\393729515.xml"
    3⤵
    - Creates scheduled task(s)
    PID:5088
- C:\Windows\SysWOW64\svchost.exe
  "C:\Users\Admin\AppData\Local\Temp\484014cfcb70a39296ca04415f71a750_JaffaCakes118.exe "
  2⤵
  - Drops file in System32 directory
  PID:1456
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1720
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:312
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1150075577.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1736
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\941699137.xml"
    3⤵
    - Creates scheduled task(s)
    PID:672
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2972
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3360
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\733322697.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1276
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1196
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3684
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1646846076.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1224
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4732
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4936
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4432
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1438469636.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4364
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4796
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\459565268.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:536
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2564
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\602560719.xml"
    3⤵
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3528
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2556
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1771139998.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4792
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2848
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4892
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\373079593.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:224
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2252
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1572
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1893030763.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2592
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4268
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1136
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1265498286.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4052
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\637965809.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2388
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3168
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\780961260.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3472
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3176
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2968
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1352
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1179012611.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3528
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4236
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\551480134.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3548
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1152
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3712
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\694475585.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2264
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1780
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1136
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1863054864.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4808
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4332
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2006050315.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3452
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1797673875.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3548
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4512
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4324
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4784
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1589297435.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2040
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:376
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1744
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1380920995.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4836
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4236
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4504
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4788
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1523916446.xml"
    3⤵
    - Creates scheduled task(s)
    PID:884
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4948
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1400
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\896383969.xml"
    3⤵
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3424
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\688007529.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2192
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:316
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\479631089.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2212
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3088
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:5084
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1041782577.xml"
    3⤵
    PID:3268
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1020
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\833406137.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:5104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3556
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1044185734.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1028
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4292
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1576
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\835809294.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2292
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1084
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:232
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\627432854.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2680
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4796
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3900
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\419056414.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1144
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1004
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1519851547.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3164
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4688
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1662846998.xml"
    3⤵
    - Creates scheduled task(s)
    PID:736
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4440
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2692
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3272
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\264786593.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4720
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2448
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4548
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1433365872.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1696
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:216
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2156
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1995517360.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1092
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4008
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:5068
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1787140920.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4336
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2624
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1200
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1930136371.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1780
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:760
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4672
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1856
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\951232003.xml"
    3⤵
    - Creates scheduled task(s)
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4700
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1044
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4192
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\742855563.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4280
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:740
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3936
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4992
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1305007051.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2824
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1848
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4660
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1448002502.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3544
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1239626062.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3440
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3268
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4732
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4336
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\612093585.xml"
    3⤵
    - Creates scheduled task(s)
    PID:772
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3204
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3500
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:912
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\403717145.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4884
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2028
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4952
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\195340705.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4424
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4964
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2812
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4792
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\944763947.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1568
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4808
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:408
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1694187189.xml"
    3⤵
    - Creates scheduled task(s)
    PID:5020
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3816
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2864
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4884
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1066654712.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2592
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:5108
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4184
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\439122235.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1104
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4016
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4556
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1676
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1959073405.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2152
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:748
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3736
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\912384891.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4820
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2492
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4788
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3444
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1310436242.xml"
    3⤵
    - Creates scheduled task(s)
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3968
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4924
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2040
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1453431693.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4848
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2504
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:5048
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\825899216.xml"
    3⤵
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4504
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3204
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4424
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\198366739.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1988
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1104
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4540
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4396
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1718317909.xml"
    3⤵
    - Creates scheduled task(s)
    PID:2244
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4936
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1004
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3356
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2116369260.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1080
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3472
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4728
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:5076
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1488836783.xml"
    3⤵
    - Creates scheduled task(s)
    PID:5004
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1196
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4468
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1631832234.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3228
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2748
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4864
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1004299757.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1180
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:536
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:5104
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3520
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\376767280.xml"
    3⤵
    - Creates scheduled task(s)
    PID:760
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2872
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:1156
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\774818631.xml"
    3⤵
    PID:960
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:1032
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:2964
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3956
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\917814082.xml"
    3⤵
    - Creates scheduled task(s)
    PID:344
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4852
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4992
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:216
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\290281605.xml"
    3⤵
    - Creates scheduled task(s)
    PID:1340
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3168
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:3652
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:996
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\620548810.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4184
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4800
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:5076
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2500
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\412172370.xml"
    3⤵
    PID:2368
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:4212
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4784
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2480
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\203795930.xml"
    3⤵
    - Creates scheduled task(s)
    PID:372
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:2776
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Delete /TN "Update\Update" /F
    3⤵
    PID:4228
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  PID:3896
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\346791381.xml"
    3⤵
    - Creates scheduled task(s)
    PID:4964

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4396,i,7012731823941922179,12386606396608877869,262144 --variations-seed-version --mojo-platform-channel-handle=4024 /prefetch:8
1⤵
PID:4720

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\393729515.xml

Filesize
1KB

MD5
a7fb023777f4d42ec05c11b7c6ec82bb

SHA1
d35868ee23222bfef6df032cf208b77f3e148653

SHA256
222b06061de519edc5a101bdacb944a7073f8ec57c8d0f1eb904fb48e631a021

SHA512
cc9706480d778f243837da91b9e7333b44850f866b1105db4d84b1dc31ad3b6b7feef8c2b00991939031161731b142a1d6fc3fbc5ea07a27a11c2e99d2be1de4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt

Filesize
94B

MD5
a47ad731208af0f276d7a8802bab01f5

SHA1
faf347c81b594085a009399d3883fa8a20eee319

SHA256
d661a2aee5e6e64f31a8dbd94817b450dcfe1f9df4190ea1b5848ad549fc6102

SHA512
c7093b87ee357da43aca38e5e4b110bff70eee75fbd3ba53e4039487dccb784b84e2f551ddaf19d30d1c6e8547dd532101be9e3cc48f00b6109ab5da775f5f30

Download Submit
memory/228-0-0x0000000075542000-0x0000000075543000-memory.dmp

Filesize
4KB

Download
memory/228-1-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/228-2-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/228-37-0x0000000075542000-0x0000000075543000-memory.dmp

Filesize
4KB

Download
memory/228-38-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/228-45-0x0000000075540000-0x0000000075AF1000-memory.dmp

Filesize
5.7MB

Download
memory/1456-6-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1456-14-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1456-10-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1456-11-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download