netwire | 5ec42fc9a07d686e27446b78cb39d4828e4f18deb83e24a3ca8eee20cb413697

Analysis

max time kernel
151s
max time network
124s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
19-05-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe
Size

180KB
MD5

57a2d46109c29a9ce0b3716aee6b3d22
SHA1

8d3164d6108ab238f91315c0a48bf8a513b3f7f8
SHA256

5ec42fc9a07d686e27446b78cb39d4828e4f18deb83e24a3ca8eee20cb413697
SHA512

d2ce5d3470a1bd05e6f4266497437e300d5272d12055270c779b84fbb700179a9c283e1b62edc42a5c27cdc7be7d4389514f3e0a8c6cb2d40324699d7bab5deb
SSDEEP

3072:KTNpNIUUWHauma5lHGW+yyoiWWPOecQdmeQ2zQWiLguMh1v14WujlRdztVVfgfmZ:KTN/dUW6ux3GW3yJPOBQdm0qMD1v1vuP

Score

10^/10

netwire botnet rat stealer upx

Malware Config

Extracted

Family

netwire

wealthyman.ddns.net:39560

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
sunshineslisa
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 2 IoCs

rat

resource	yara_rule
behavioral1/memory/2604-20-0x0000000000400000-0x000000000042F000-memory.dmp	netwire
behavioral1/memory/2604-33-0x0000000000400000-0x000000000042F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UPX packed file 7 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2604-12-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2604-14-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2604-17-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2604-18-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2604-19-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2604-20-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral1/memory/2604-33-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2936 set thread context of 2604	2936	Java.exe	37

Creates scheduled task(s) 1 TTPs 57 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
1788	schtasks.exe
2060	schtasks.exe
292	schtasks.exe
2328	schtasks.exe
2188	schtasks.exe
2404	schtasks.exe
2612	schtasks.exe
656	schtasks.exe
864	schtasks.exe
2952	schtasks.exe
2436	schtasks.exe
2932	schtasks.exe
1964	schtasks.exe
2756	schtasks.exe
1004	schtasks.exe
1592	schtasks.exe
2244	schtasks.exe
2764	schtasks.exe
1104	schtasks.exe
1776	schtasks.exe
1860	schtasks.exe
1580	schtasks.exe
2152	schtasks.exe
2784	schtasks.exe
2428	schtasks.exe
2500	schtasks.exe
2648	schtasks.exe
1480	schtasks.exe
1664	schtasks.exe
2512	schtasks.exe
2560	schtasks.exe
2216	schtasks.exe
2648	schtasks.exe
2568	schtasks.exe
2624	schtasks.exe
2544	schtasks.exe
2232	schtasks.exe
1676	schtasks.exe
2264	schtasks.exe
1820	schtasks.exe
2860	schtasks.exe
2032	schtasks.exe
948	schtasks.exe
1376	schtasks.exe
1156	schtasks.exe
2232	schtasks.exe
2136	schtasks.exe
2108	schtasks.exe
1288	schtasks.exe
1376	schtasks.exe
2884	schtasks.exe
1400	schtasks.exe
372	schtasks.exe
528	schtasks.exe
1652	schtasks.exe
936	schtasks.exe
800	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe
2936	Java.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
2504	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2504	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe
Token: SeDebugPrivilege	2936	Java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2504 wrote to memory of 2032	2504	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe	28
PID 2504 wrote to memory of 2032	2504	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe	28
PID 2504 wrote to memory of 2032	2504	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe	28
PID 2504 wrote to memory of 2032	2504	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe	28
PID 2032 wrote to memory of 2936	2032	cmd.exe	30
PID 2032 wrote to memory of 2936	2032	cmd.exe	30
PID 2032 wrote to memory of 2936	2032	cmd.exe	30
PID 2032 wrote to memory of 2936	2032	cmd.exe	30
PID 2032 wrote to memory of 2936	2032	cmd.exe	30
PID 2032 wrote to memory of 2936	2032	cmd.exe	30
PID 2032 wrote to memory of 2936	2032	cmd.exe	30
PID 2936 wrote to memory of 2672	2936	Java.exe	31
PID 2936 wrote to memory of 2672	2936	Java.exe	31
PID 2936 wrote to memory of 2672	2936	Java.exe	31
PID 2936 wrote to memory of 2672	2936	Java.exe	31
PID 2672 wrote to memory of 2548	2672	cmd.exe	33
PID 2672 wrote to memory of 2548	2672	cmd.exe	33
PID 2672 wrote to memory of 2548	2672	cmd.exe	33
PID 2672 wrote to memory of 2548	2672	cmd.exe	33
PID 2936 wrote to memory of 2704	2936	Java.exe	34
PID 2936 wrote to memory of 2704	2936	Java.exe	34
PID 2936 wrote to memory of 2704	2936	Java.exe	34
PID 2936 wrote to memory of 2704	2936	Java.exe	34
PID 2704 wrote to memory of 2932	2704	cmd.exe	36
PID 2704 wrote to memory of 2932	2704	cmd.exe	36
PID 2704 wrote to memory of 2932	2704	cmd.exe	36
PID 2704 wrote to memory of 2932	2704	cmd.exe	36
PID 2936 wrote to memory of 2604	2936	Java.exe	37
PID 2936 wrote to memory of 2604	2936	Java.exe	37
PID 2936 wrote to memory of 2604	2936	Java.exe	37
PID 2936 wrote to memory of 2604	2936	Java.exe	37
PID 2936 wrote to memory of 2604	2936	Java.exe	37
PID 2936 wrote to memory of 2604	2936	Java.exe	37
PID 2936 wrote to memory of 2604	2936	Java.exe	37
PID 2936 wrote to memory of 2604	2936	Java.exe	37
PID 2936 wrote to memory of 2472	2936	Java.exe	38
PID 2936 wrote to memory of 2472	2936	Java.exe	38
PID 2936 wrote to memory of 2472	2936	Java.exe	38
PID 2936 wrote to memory of 2472	2936	Java.exe	38
PID 2472 wrote to memory of 2420	2472	cmd.exe	40
PID 2472 wrote to memory of 2420	2472	cmd.exe	40
PID 2472 wrote to memory of 2420	2472	cmd.exe	40
PID 2472 wrote to memory of 2420	2472	cmd.exe	40
PID 2936 wrote to memory of 2468	2936	Java.exe	41
PID 2936 wrote to memory of 2468	2936	Java.exe	41
PID 2936 wrote to memory of 2468	2936	Java.exe	41
PID 2936 wrote to memory of 2468	2936	Java.exe	41
PID 2468 wrote to memory of 2544	2468	cmd.exe	43
PID 2468 wrote to memory of 2544	2468	cmd.exe	43
PID 2468 wrote to memory of 2544	2468	cmd.exe	43
PID 2468 wrote to memory of 2544	2468	cmd.exe	43
PID 2936 wrote to memory of 3040	2936	Java.exe	44
PID 2936 wrote to memory of 3040	2936	Java.exe	44
PID 2936 wrote to memory of 3040	2936	Java.exe	44
PID 2936 wrote to memory of 3040	2936	Java.exe	44
PID 3040 wrote to memory of 752	3040	cmd.exe	46
PID 3040 wrote to memory of 752	3040	cmd.exe	46
PID 3040 wrote to memory of 752	3040	cmd.exe	46
PID 3040 wrote to memory of 752	3040	cmd.exe	46
PID 2936 wrote to memory of 860	2936	Java.exe	47
PID 2936 wrote to memory of 860	2936	Java.exe	47
PID 2936 wrote to memory of 860	2936	Java.exe	47
PID 2936 wrote to memory of 860	2936	Java.exe	47
PID 860 wrote to memory of 800	860	cmd.exe	49

C:\Users\Admin\AppData\Local\Temp\57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2504
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Users\Admin\AppData\Roaming\Java.exe
    "C:\Users\Admin\AppData\Roaming\Java.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\830565045.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2932
  - - C:\Windows\Microsoft.net\Framework\v2.0.50727\vbc.exe
      "C:\Users\Admin\AppData\Roaming\Java.exe"
      4⤵
      PID:2604
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2472
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2420
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1214266417.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:752
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1375241370.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:800
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:588
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:532
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1318513906.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1860
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2412
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\2032314370.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:756
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:292
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1820
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1701157025.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1240
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2384
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2132
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\35589559.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1480
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2212
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1788
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\2119254809.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2800
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1196
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3000
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\312926936.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:528
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2320
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:400
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\794843117.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1384
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1844
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1864
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\670331507.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1376
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1476
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1660
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1976377896.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1664
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2840
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1148
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2108
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1500494395.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:668
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2768
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1136
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1862922968.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2764
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2760
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1574311221.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1580
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2972
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2308
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2856
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\679271683.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2152
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2576
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2584
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2160
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1580343901.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2512
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2424
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2444
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1324
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\146660718.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2436
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2236
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2544
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\209420862.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2860
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1044
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1544
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\2068292762.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1652
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2352
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\754097187.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1288
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:904
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\345997832.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2648
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1812
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:644
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\408757976.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:292
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1968
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1268
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1240
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\464427187.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3028
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2464
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\580789611.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3024
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1196
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:476
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1833233720.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:320
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:620
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2028
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\586822291.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2232
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2268
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1100
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1304
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1061647539.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1376
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2984
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1800
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1962719757.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2784
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2364
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2976
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\290061358.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2088
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2328
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\165549748.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2816
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:668
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1904934040.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1576
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2760
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2916
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\164491495.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2568
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2972
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2548
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2776
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1058472780.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2160
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1344
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2224
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1952454065.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2428
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1324
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2476
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\937926919.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1004
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2468
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1838999137.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1400
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1552
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1796
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1860
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\943959599.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2188
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:940
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2624
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:280
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1845031817.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2264
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:904
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1036
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1944
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1975576107.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1820
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2216
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2644
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2116
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1499692606.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1104
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1240
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1604
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:820
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1442965142.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:372
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3052
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1788
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2960
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1191874991.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:656
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2988
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3024
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2700
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\2092947209.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:936
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1152
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2004
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\846535780.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1156
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1864
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:824
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1100
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\363561346.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1776
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1916
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1828
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1384121172.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:948
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1676
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2364
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\257197351.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2108
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3048
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2884
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1564
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\80982279.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1592
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2388
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1584
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1333426388.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2244
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:916
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1912
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\925327033.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2032
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2152
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2708
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2716
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\800815423.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2060
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2512
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2576
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2440
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1821375249.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2560
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2444
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2844
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1211822274.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2500
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2488
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2236
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2848
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1761522601.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:680
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1348
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:752
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1217854954.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:864
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1796
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1284
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1684
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1161127490.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2624

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\830565045.xml

Filesize
1KB

MD5
7a004a9b4cb7490775ccae837becb3c3

SHA1
abf1e7776e5bf46437ff277369564e194045aef2

SHA256
ea9e28079f155dab828da5d443f1db13edbdef523a2d8bec8de8935e798c3d50

SHA512
c76199fe3830a6a05cdddfdf274590e1f7fec69e327a5a4bf7c4f51a63bcc56fff20be79b375da76145f2ed0d9b9de106deb5c97e34c4f94dc8b8b1068435e18

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Update .txt

Filesize
51B

MD5
fcf88665b463838d8db2c6772af1c882

SHA1
326c6eb8af5714cb918e4555314605524e126c78

SHA256
71967fcad94686cec520c1e85ee41c453ea2768eee5c1e1bef74d431977a31ba

SHA512
32d700c11b2e280c031bda0f9b80db8ceb8b916a9c8bc25852418ae9bcc1b394c76251407d515aad272a16dc4b10283484256d8ad64691ca9a73092d8217d547

Download Submit
memory/2504-1-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-2-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-3-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/2504-0-0x0000000073F21000-0x0000000073F22000-memory.dmp

Filesize
4KB

Download
memory/2604-10-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-12-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-14-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-16-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2604-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-20-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2604-33-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/2936-6-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/2936-5-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/2936-4-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download
memory/2936-44-0x0000000073F20000-0x00000000744CB000-memory.dmp

Filesize
5.7MB

Download