netwire | 5ec42fc9a07d686e27446b78cb39d4828e4f18deb83e24a3ca8eee20cb413697

Analysis

max time kernel
153s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
19-05-2024 00:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe
Size

180KB
MD5

57a2d46109c29a9ce0b3716aee6b3d22
SHA1

8d3164d6108ab238f91315c0a48bf8a513b3f7f8
SHA256

5ec42fc9a07d686e27446b78cb39d4828e4f18deb83e24a3ca8eee20cb413697
SHA512

d2ce5d3470a1bd05e6f4266497437e300d5272d12055270c779b84fbb700179a9c283e1b62edc42a5c27cdc7be7d4389514f3e0a8c6cb2d40324699d7bab5deb
SSDEEP

3072:KTNpNIUUWHauma5lHGW+yyoiWWPOecQdmeQ2zQWiLguMh1v14WujlRdztVVfgfmZ:KTN/dUW6ux3GW3yJPOBQdm0qMD1v1vuP

Score

10^/10

netwire botnet rat stealer upx

Malware Config

Extracted

Family

netwire

wealthyman.ddns.net:39560

Attributes

activex_autorun
false
copy_executable
false
delete_original
false
host_id
sunshineslisa
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
offline_keylogger
true
password
sucess
registry_autorun
false
use_mutex
false

Signatures

NetWire RAT payload 3 IoCs

rat

resource	yara_rule
behavioral2/memory/3348-18-0x0000000000400000-0x000000000042F000-memory.dmp	netwire
behavioral2/memory/3348-19-0x0000000000400000-0x000000000042F000-memory.dmp	netwire
behavioral2/memory/3348-30-0x0000000000400000-0x000000000042F000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

UPX packed file 5 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral2/memory/3348-13-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3348-17-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3348-18-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3348-19-0x0000000000400000-0x000000000042F000-memory.dmp	upx
behavioral2/memory/3348-30-0x0000000000400000-0x000000000042F000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1756 set thread context of 3348	1756	Java.exe	104

Creates scheduled task(s) 1 TTPs 38 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
4400	schtasks.exe
3544	schtasks.exe
1980	schtasks.exe
4920	schtasks.exe
552	schtasks.exe
1616	schtasks.exe
1704	schtasks.exe
4804	schtasks.exe
232	schtasks.exe
4736	schtasks.exe
4008	schtasks.exe
2756	schtasks.exe
3984	schtasks.exe
4020	schtasks.exe
2204	schtasks.exe
2788	schtasks.exe
3184	schtasks.exe
4564	schtasks.exe
2612	schtasks.exe
4848	schtasks.exe
3400	schtasks.exe
4736	schtasks.exe
3724	schtasks.exe
3308	schtasks.exe
2136	schtasks.exe
4728	schtasks.exe
4952	schtasks.exe
3284	schtasks.exe
4920	schtasks.exe
3284	schtasks.exe
3544	schtasks.exe
708	schtasks.exe
4632	schtasks.exe
4992	schtasks.exe
3040	schtasks.exe
3648	schtasks.exe
4808	schtasks.exe
3656	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe
1756	Java.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
4176	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	4176	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe
Token: SeDebugPrivilege	1756	Java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4176 wrote to memory of 2448	4176	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe	95
PID 4176 wrote to memory of 2448	4176	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe	95
PID 4176 wrote to memory of 2448	4176	57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe	95
PID 2448 wrote to memory of 1756	2448	cmd.exe	97
PID 2448 wrote to memory of 1756	2448	cmd.exe	97
PID 2448 wrote to memory of 1756	2448	cmd.exe	97
PID 1756 wrote to memory of 4524	1756	Java.exe	98
PID 1756 wrote to memory of 4524	1756	Java.exe	98
PID 1756 wrote to memory of 4524	1756	Java.exe	98
PID 4524 wrote to memory of 3588	4524	cmd.exe	100
PID 4524 wrote to memory of 3588	4524	cmd.exe	100
PID 4524 wrote to memory of 3588	4524	cmd.exe	100
PID 1756 wrote to memory of 3236	1756	Java.exe	101
PID 1756 wrote to memory of 3236	1756	Java.exe	101
PID 1756 wrote to memory of 3236	1756	Java.exe	101
PID 3236 wrote to memory of 708	3236	cmd.exe	103
PID 3236 wrote to memory of 708	3236	cmd.exe	103
PID 3236 wrote to memory of 708	3236	cmd.exe	103
PID 1756 wrote to memory of 3348	1756	Java.exe	104
PID 1756 wrote to memory of 3348	1756	Java.exe	104
PID 1756 wrote to memory of 3348	1756	Java.exe	104
PID 1756 wrote to memory of 3348	1756	Java.exe	104
PID 1756 wrote to memory of 3348	1756	Java.exe	104
PID 1756 wrote to memory of 3348	1756	Java.exe	104
PID 1756 wrote to memory of 3348	1756	Java.exe	104
PID 1756 wrote to memory of 3348	1756	Java.exe	104
PID 1756 wrote to memory of 1516	1756	Java.exe	105
PID 1756 wrote to memory of 1516	1756	Java.exe	105
PID 1756 wrote to memory of 1516	1756	Java.exe	105
PID 1516 wrote to memory of 400	1516	cmd.exe	107
PID 1516 wrote to memory of 400	1516	cmd.exe	107
PID 1516 wrote to memory of 400	1516	cmd.exe	107
PID 1756 wrote to memory of 2156	1756	Java.exe	108
PID 1756 wrote to memory of 2156	1756	Java.exe	108
PID 1756 wrote to memory of 2156	1756	Java.exe	108
PID 2156 wrote to memory of 4632	2156	cmd.exe	110
PID 2156 wrote to memory of 4632	2156	cmd.exe	110
PID 2156 wrote to memory of 4632	2156	cmd.exe	110
PID 1756 wrote to memory of 4736	1756	Java.exe	111
PID 1756 wrote to memory of 4736	1756	Java.exe	111
PID 1756 wrote to memory of 4736	1756	Java.exe	111
PID 4736 wrote to memory of 4320	4736	cmd.exe	113
PID 4736 wrote to memory of 4320	4736	cmd.exe	113
PID 4736 wrote to memory of 4320	4736	cmd.exe	113
PID 1756 wrote to memory of 4824	1756	Java.exe	114
PID 1756 wrote to memory of 4824	1756	Java.exe	114
PID 1756 wrote to memory of 4824	1756	Java.exe	114
PID 4824 wrote to memory of 4400	4824	cmd.exe	116
PID 4824 wrote to memory of 4400	4824	cmd.exe	116
PID 4824 wrote to memory of 4400	4824	cmd.exe	116
PID 1756 wrote to memory of 3148	1756	Java.exe	117
PID 1756 wrote to memory of 3148	1756	Java.exe	117
PID 1756 wrote to memory of 3148	1756	Java.exe	117
PID 3148 wrote to memory of 1964	3148	cmd.exe	119
PID 3148 wrote to memory of 1964	3148	cmd.exe	119
PID 3148 wrote to memory of 1964	3148	cmd.exe	119
PID 1756 wrote to memory of 4676	1756	Java.exe	120
PID 1756 wrote to memory of 4676	1756	Java.exe	120
PID 1756 wrote to memory of 4676	1756	Java.exe	120
PID 4676 wrote to memory of 4564	4676	cmd.exe	122
PID 4676 wrote to memory of 4564	4676	cmd.exe	122
PID 4676 wrote to memory of 4564	4676	cmd.exe	122
PID 1756 wrote to memory of 2592	1756	Java.exe	125
PID 1756 wrote to memory of 2592	1756	Java.exe	125

C:\Users\Admin\AppData\Local\Temp\57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\57a2d46109c29a9ce0b3716aee6b3d22_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4176
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Users\Admin\AppData\Roaming\Java.exe
    "C:\Users\Admin\AppData\Roaming\Java.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1756
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4524
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3588
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3236
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\109893895.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:708
  - - C:\Windows\Microsoft.net\Framework\v2.0.50727\vbc.exe
      "C:\Users\Admin\AppData\Roaming\Java.exe"
      4⤵
      PID:3348
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1516
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:400
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2156
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1547879053.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4632
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4736
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:4320
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4824
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\419224527.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4400
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3148
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1964
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4676
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\974285082.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4564
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2928
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:652
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1948501674.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4804
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1508
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3720
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2772
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\826938081.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2376
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:984
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4656
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1381998636.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4992
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2612
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2108
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\21459827.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3040
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3084
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:4832
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3192
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\389248628.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4848
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:4428
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1670224582.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4008
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:5068
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4804
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\728841810.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4952
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3428
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3828
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1635274256.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1128
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1808
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:984
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\274735447.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3308
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:664
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2612
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1368439647.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2756
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3336
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1696
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1092
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\666032091.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3400
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4912
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4428
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1408364400.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3284
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4412
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2668
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4508
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\818353519.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1732
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3724
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2200
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\954258037.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3648
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1532
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:680
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:692
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1860690483.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3984
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1248
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3112
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3176
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\268267391.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1980
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1928
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2488
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4312
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\2132499519.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4736
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1168
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:5032
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1917032146.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3284
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2384
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2356
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2592
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\256824908.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4920
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2924
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:5084
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4480
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\999157217.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3724
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1400
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4524
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1067277589.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2136
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2368
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1408
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1390453861.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2612
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3288
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2432
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\755830451.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4808
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4832
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3060
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1380
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1781750505.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4728
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1616
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1168
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2172
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\959855341.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3656
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2788
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3944
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4920
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\2053559541.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4020
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1220
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3828
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\999780094.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3544
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3524
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3984
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3464
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1554840649.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1704
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:508
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1124
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1408
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1690745167.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:552
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4396
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:5008
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4016
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\442603033.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2204
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1692
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:5012
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:3548
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\929879442.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:4848
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1620
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:1600
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4584
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\482527786.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:1616
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1812
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:3728
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:720
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\969804195.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:2788
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:4124
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update " /F
        5⤵
        
        PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1824
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update " /XML "C:\Users\Admin\AppData\Local\Temp\1105708713.xml"
        5⤵
        Creates scheduled task(s)
        
        PID:3184

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4120 --field-trial-handle=2280,i,4114443225282860369,4764091921472631035,262144 --variations-seed-version /prefetch:8
1⤵
PID:4324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scripting

T1064

Persistence

Scheduled Task/Job

T1053

Privilege Escalation

Scheduled Task/Job

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\109893895.xml

Filesize
1KB

MD5
f85530fd49aea56f6ce26a289fa4a788

SHA1
3338ea3278fb39774f7dbd8c331728a198ae198a

SHA256
4446f776ac0ecb35dbd5e54519c3ab50c2e3797f8830624fba58de25e97bc3b3

SHA512
e73f19a4454f85decfbae6f165b079220553129550e7d85585bd1d242415674c867f1a50157ad7179b18601fa1761f67030a40bf88df2be59ceeda9d248f32db

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Update .txt

Filesize
51B

MD5
fcf88665b463838d8db2c6772af1c882

SHA1
326c6eb8af5714cb918e4555314605524e126c78

SHA256
71967fcad94686cec520c1e85ee41c453ea2768eee5c1e1bef74d431977a31ba

SHA512
32d700c11b2e280c031bda0f9b80db8ceb8b916a9c8bc25852418ae9bcc1b394c76251407d515aad272a16dc4b10283484256d8ad64691ca9a73092d8217d547

Download Submit
memory/1756-42-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1756-38-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1756-34-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1756-7-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/1756-8-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/3348-18-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-30-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-19-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-13-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/3348-17-0x0000000000400000-0x000000000042F000-memory.dmp

Filesize
188KB

Download
memory/4176-4-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/4176-11-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/4176-5-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/4176-0-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download
memory/4176-3-0x0000000074CA2000-0x0000000074CA3000-memory.dmp

Filesize
4KB

Download
memory/4176-2-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download
memory/4176-1-0x0000000074CA0000-0x0000000075251000-memory.dmp

Filesize
5.7MB

Download