b44ce57bcff9bc4c9cbe79fb31be96ed804f73bb1720876fe8bb84c399c40312

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
21/07/2024, 21:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61640faa3e35e0c43ea9d46fa945a8fa_JaffaCakes118.exe
Size

1.5MB
MD5

61640faa3e35e0c43ea9d46fa945a8fa
SHA1

df716eff523ec5630899a9a6e453c84da92f4ddd
SHA256

b44ce57bcff9bc4c9cbe79fb31be96ed804f73bb1720876fe8bb84c399c40312
SHA512

e11b1ba235ad7f669bcb963d8ae75160798064549b8bc6d54f7622d59dfaf8594ae00f82fa3f0acbf92ec3f782708f13bcd4ddde19ba14b8a565ecdba5c2f2ba
SSDEEP

24576:9i9deVMdRnYcRnYaRnY2RnYKRnYrRnYERnYB:9m1dRnYcRnYaRnY2RnYKRnYrRnYERnY

Score

7^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	61640faa3e35e0c43ea9d46fa945a8fa_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	_rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe
Key value queried	\REGISTRY\USER\S-1-5-21-384068567-2943195810-3631207890-1000\Control Panel\International\Geo\Nation	rootsupd.exe.exe

Executes dropped EXE 64 IoCs

pid	Process
4992	rootsupd.exe.exe
2488	_rootsupd.exe.exe
2916	rootsupd.exe.exe
2196	_rootsupd.exe.exe
4548	rootsupd.exe.exe
3712	_rootsupd.exe.exe
3604	rootsupd.exe.exe
5032	_rootsupd.exe.exe
1788	rootsupd.exe.exe
3528	_rootsupd.exe.exe
1924	rootsupd.exe.exe
2052	_rootsupd.exe.exe
1708	rootsupd.exe.exe
3028	_rootsupd.exe.exe
5036	rootsupd.exe.exe
5024	_rootsupd.exe.exe
4984	rootsupd.exe.exe
1928	_rootsupd.exe.exe
228	rootsupd.exe.exe
1992	_rootsupd.exe.exe
3004	rootsupd.exe.exe
5228	_rootsupd.exe.exe
5352	rootsupd.exe.exe
5472	_rootsupd.exe.exe
5564	rootsupd.exe.exe
5636	_rootsupd.exe.exe
5720	rootsupd.exe.exe
5804	_rootsupd.exe.exe
5880	rootsupd.exe.exe
5960	_rootsupd.exe.exe
6032	rootsupd.exe.exe
6104	_rootsupd.exe.exe
5644	rootsupd.exe.exe
6188	_rootsupd.exe.exe
6268	rootsupd.exe.exe
6340	_rootsupd.exe.exe
6412	rootsupd.exe.exe
6492	_rootsupd.exe.exe
6564	rootsupd.exe.exe
6644	_rootsupd.exe.exe
6744	rootsupd.exe.exe
6820	_rootsupd.exe.exe
6892	rootsupd.exe.exe
6964	_rootsupd.exe.exe
7036	rootsupd.exe.exe
7116	_rootsupd.exe.exe
6420	rootsupd.exe.exe
7188	_rootsupd.exe.exe
7264	rootsupd.exe.exe
7336	_rootsupd.exe.exe
7412	rootsupd.exe.exe
7484	_rootsupd.exe.exe
7564	rootsupd.exe.exe
7640	_rootsupd.exe.exe
7716	rootsupd.exe.exe
7788	_rootsupd.exe.exe
7860	rootsupd.exe.exe
7992	_rootsupd.exe.exe
8068	rootsupd.exe.exe
8140	_rootsupd.exe.exe
7492	rootsupd.exe.exe
2752	_rootsupd.exe.exe
8076	rootsupd.exe.exe
8244	_rootsupd.exe.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	4884	61640faa3e35e0c43ea9d46fa945a8fa_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4884 wrote to memory of 4992	4884	61640faa3e35e0c43ea9d46fa945a8fa_JaffaCakes118.exe	86
PID 4884 wrote to memory of 4992	4884	61640faa3e35e0c43ea9d46fa945a8fa_JaffaCakes118.exe	86
PID 4992 wrote to memory of 2488	4992	rootsupd.exe.exe	87
PID 4992 wrote to memory of 2488	4992	rootsupd.exe.exe	87
PID 2488 wrote to memory of 2916	2488	_rootsupd.exe.exe	89
PID 2488 wrote to memory of 2916	2488	_rootsupd.exe.exe	89
PID 2916 wrote to memory of 2196	2916	rootsupd.exe.exe	91
PID 2916 wrote to memory of 2196	2916	rootsupd.exe.exe	91
PID 2196 wrote to memory of 4548	2196	_rootsupd.exe.exe	92
PID 2196 wrote to memory of 4548	2196	_rootsupd.exe.exe	92
PID 4548 wrote to memory of 3712	4548	rootsupd.exe.exe	93
PID 4548 wrote to memory of 3712	4548	rootsupd.exe.exe	93
PID 3712 wrote to memory of 3604	3712	_rootsupd.exe.exe	95
PID 3712 wrote to memory of 3604	3712	_rootsupd.exe.exe	95
PID 3604 wrote to memory of 5032	3604	rootsupd.exe.exe	96
PID 3604 wrote to memory of 5032	3604	rootsupd.exe.exe	96
PID 5032 wrote to memory of 1788	5032	_rootsupd.exe.exe	97
PID 5032 wrote to memory of 1788	5032	_rootsupd.exe.exe	97
PID 1788 wrote to memory of 3528	1788	rootsupd.exe.exe	98
PID 1788 wrote to memory of 3528	1788	rootsupd.exe.exe	98
PID 3528 wrote to memory of 1924	3528	_rootsupd.exe.exe	99
PID 3528 wrote to memory of 1924	3528	_rootsupd.exe.exe	99
PID 1924 wrote to memory of 2052	1924	rootsupd.exe.exe	100
PID 1924 wrote to memory of 2052	1924	rootsupd.exe.exe	100
PID 2052 wrote to memory of 1708	2052	_rootsupd.exe.exe	101
PID 2052 wrote to memory of 1708	2052	_rootsupd.exe.exe	101
PID 1708 wrote to memory of 3028	1708	rootsupd.exe.exe	102
PID 1708 wrote to memory of 3028	1708	rootsupd.exe.exe	102
PID 3028 wrote to memory of 5036	3028	_rootsupd.exe.exe	105
PID 3028 wrote to memory of 5036	3028	_rootsupd.exe.exe	105
PID 5036 wrote to memory of 5024	5036	rootsupd.exe.exe	106
PID 5036 wrote to memory of 5024	5036	rootsupd.exe.exe	106
PID 5024 wrote to memory of 4984	5024	_rootsupd.exe.exe	107
PID 5024 wrote to memory of 4984	5024	_rootsupd.exe.exe	107
PID 4984 wrote to memory of 1928	4984	rootsupd.exe.exe	108
PID 4984 wrote to memory of 1928	4984	rootsupd.exe.exe	108
PID 1928 wrote to memory of 228	1928	_rootsupd.exe.exe	109
PID 1928 wrote to memory of 228	1928	_rootsupd.exe.exe	109
PID 228 wrote to memory of 1992	228	rootsupd.exe.exe	110
PID 228 wrote to memory of 1992	228	rootsupd.exe.exe	110
PID 1992 wrote to memory of 3004	1992	_rootsupd.exe.exe	111
PID 1992 wrote to memory of 3004	1992	_rootsupd.exe.exe	111
PID 3004 wrote to memory of 5228	3004	rootsupd.exe.exe	113
PID 3004 wrote to memory of 5228	3004	rootsupd.exe.exe	113
PID 5228 wrote to memory of 5352	5228	_rootsupd.exe.exe	115
PID 5228 wrote to memory of 5352	5228	_rootsupd.exe.exe	115
PID 5352 wrote to memory of 5472	5352	rootsupd.exe.exe	116
PID 5352 wrote to memory of 5472	5352	rootsupd.exe.exe	116
PID 5472 wrote to memory of 5564	5472	_rootsupd.exe.exe	117
PID 5472 wrote to memory of 5564	5472	_rootsupd.exe.exe	117
PID 5564 wrote to memory of 5636	5564	rootsupd.exe.exe	118
PID 5564 wrote to memory of 5636	5564	rootsupd.exe.exe	118
PID 5636 wrote to memory of 5720	5636	_rootsupd.exe.exe	119
PID 5636 wrote to memory of 5720	5636	_rootsupd.exe.exe	119
PID 5720 wrote to memory of 5804	5720	rootsupd.exe.exe	120
PID 5720 wrote to memory of 5804	5720	rootsupd.exe.exe	120
PID 5804 wrote to memory of 5880	5804	_rootsupd.exe.exe	121
PID 5804 wrote to memory of 5880	5804	_rootsupd.exe.exe	121
PID 5880 wrote to memory of 5960	5880	rootsupd.exe.exe	122
PID 5880 wrote to memory of 5960	5880	rootsupd.exe.exe	122
PID 5960 wrote to memory of 6032	5960	_rootsupd.exe.exe	123
PID 5960 wrote to memory of 6032	5960	_rootsupd.exe.exe	123
PID 6032 wrote to memory of 6104	6032	rootsupd.exe.exe	124
PID 6032 wrote to memory of 6104	6032	rootsupd.exe.exe	124

C:\Users\Admin\AppData\Local\Temp\61640faa3e35e0c43ea9d46fa945a8fa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\61640faa3e35e0c43ea9d46fa945a8fa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4884
- C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
  "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4992
- - C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
    "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of WriteProcessMemory
    PID:2488
  - - C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
      "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2916
    - - C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2196
      - C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4548
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3712
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3604
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5032
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1788
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3528
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1924
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:2052
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1708
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3028
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5036
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5024
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:4984
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1928
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        20⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:228
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        21⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:1992
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        22⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:3004
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5228
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        24⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5352
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5472
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        26⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5564
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5636
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        28⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5720
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        29⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5804
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        30⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5880
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:5960
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        32⤵
        Executes dropped EXE
        Suspicious use of WriteProcessMemory
        
        PID:6032
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6104
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        34⤵
        Executes dropped EXE
        
        PID:5644
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        35⤵
        Executes dropped EXE
        
        PID:6188
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        36⤵
        Executes dropped EXE
        
        PID:6268
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        37⤵
        Executes dropped EXE
        
        PID:6340
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        38⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6412
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        39⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6492
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        40⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6564
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        41⤵
        Executes dropped EXE
        
        PID:6644
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        42⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6744
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        43⤵
        Executes dropped EXE
        
        PID:6820
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        44⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:6892
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        45⤵
        Executes dropped EXE
        
        PID:6964
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        46⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7036
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        47⤵
        Executes dropped EXE
        
        PID:7116
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        48⤵
        Executes dropped EXE
        
        PID:6420
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        49⤵
        Executes dropped EXE
        
        PID:7188
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        50⤵
        Executes dropped EXE
        
        PID:7264
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        51⤵
        Executes dropped EXE
        
        PID:7336
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        52⤵
        Executes dropped EXE
        
        PID:7412
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        53⤵
        Executes dropped EXE
        
        PID:7484
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        54⤵
        Executes dropped EXE
        
        PID:7564
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        55⤵
        Executes dropped EXE
        
        PID:7640
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        56⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7716
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        57⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7788
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        58⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7860
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        59⤵
        Checks computer location settings
        Executes dropped EXE
        
        PID:7992
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        60⤵
        Executes dropped EXE
        
        PID:8068
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        61⤵
        Executes dropped EXE
        
        PID:8140
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        62⤵
        Executes dropped EXE
        
        PID:7492
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        63⤵
        Executes dropped EXE
        
        PID:2752
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        64⤵
        Executes dropped EXE
        
        PID:8076
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        65⤵
        Executes dropped EXE
        
        PID:8244
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        66⤵
        
        PID:8316
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        67⤵
        Checks computer location settings
        
        PID:8384
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        68⤵
        Checks computer location settings
        
        PID:8452
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        69⤵
        Checks computer location settings
        
        PID:8520
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        70⤵
        
        PID:8588
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        71⤵
        
        PID:8656
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        72⤵
        
        PID:8728
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        73⤵
        Checks computer location settings
        
        PID:8800
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        74⤵
        
        PID:8868
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        75⤵
        
        PID:8936
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        76⤵
        Checks computer location settings
        
        PID:9016
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        77⤵
        Checks computer location settings
        
        PID:9132
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        78⤵
        Checks computer location settings
        
        PID:8268
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        79⤵
        
        PID:9280
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        80⤵
        Checks computer location settings
        
        PID:9352
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        81⤵
        
        PID:9420
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        82⤵
        Checks computer location settings
        
        PID:9492
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        83⤵
        Checks computer location settings
        
        PID:9560
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        84⤵
        
        PID:9628
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        85⤵
        
        PID:9704
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        86⤵
        
        PID:9772
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        87⤵
        Checks computer location settings
        
        PID:9844
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        88⤵
        
        PID:9916
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        89⤵
        
        PID:9988
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        90⤵
        
        PID:10056
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        91⤵
        Checks computer location settings
        
        PID:10124
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        92⤵
        
        PID:10192
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        93⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        94⤵
        
        PID:10248
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        95⤵
        
        PID:10316
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        96⤵
        Checks computer location settings
        
        PID:10392
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        97⤵
        Checks computer location settings
        
        PID:10460
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        98⤵
        Checks computer location settings
        
        PID:10528
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        99⤵
        
        PID:10600
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        100⤵
        
        PID:10668
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        101⤵
        
        PID:10736
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        102⤵
        
        PID:10804
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        103⤵
        
        PID:10884
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        104⤵
        
        PID:10952
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        105⤵
        
        PID:11020
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        106⤵
        Checks computer location settings
        
        PID:11088
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        107⤵
        
        PID:11156
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        108⤵
        Checks computer location settings
        
        PID:11224
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        109⤵
        
        PID:2556
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        110⤵
        Checks computer location settings
        
        PID:11328
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        111⤵
        Checks computer location settings
        
        PID:11396
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        112⤵
        Checks computer location settings
        
        PID:11488
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        113⤵
        Checks computer location settings
        
        PID:11556
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        114⤵
        Checks computer location settings
        
        PID:11624
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        115⤵
        Checks computer location settings
        
        PID:11700
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        116⤵
        
        PID:11768
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        117⤵
        
        PID:11844
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        118⤵
        Checks computer location settings
        
        PID:11912
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        119⤵
        Checks computer location settings
        
        PID:11980
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        120⤵
        Checks computer location settings
        
        PID:12048
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        121⤵
        
        PID:12116
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        122⤵
        
        PID:12188
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        123⤵
        Checks computer location settings
        
        PID:12256
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        124⤵
        
        PID:12312
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        125⤵
        Checks computer location settings
        
        PID:12384
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        126⤵
        
        PID:12452
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        127⤵
        Checks computer location settings
        
        PID:12524
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        128⤵
        
        PID:12592
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        129⤵
        
        PID:12660
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        130⤵
        
        PID:12728
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        131⤵
        
        PID:12796
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        132⤵
        
        PID:12868
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        133⤵
        Checks computer location settings
        
        PID:12940
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        134⤵
        Checks computer location settings
        
        PID:13008
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        135⤵
        
        PID:13076
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        136⤵
        
        PID:13152
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        137⤵
        
        PID:13220
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        138⤵
        
        PID:13292
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        139⤵
        
        PID:12844
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        140⤵
        Checks computer location settings
        
        PID:13380
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        141⤵
        
        PID:13448
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        142⤵
        Checks computer location settings
        
        PID:13520
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        143⤵
        Checks computer location settings
        
        PID:13588
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        144⤵
        
        PID:13656
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        145⤵
        Checks computer location settings
        
        PID:13728
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        146⤵
        Checks computer location settings
        
        PID:13804
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        147⤵
        Checks computer location settings
        
        PID:13872
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        148⤵
        Checks computer location settings
        
        PID:13940
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        149⤵
        
        PID:14008
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        150⤵
        Checks computer location settings
        
        PID:14076
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        151⤵
        Checks computer location settings
        
        PID:14148
        
        C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe"
        152⤵
        
        PID:14220
        
        C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe
        
        "C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe"
        153⤵
        
        PID:14288
- C:\windows\system32\u9kzos.exe
  C:\windows\system32\u9kzos.exe
  2⤵
  PID:15272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_rootsupd.exe.exe

Filesize
1.2MB

MD5
fe8df56ecd1587ac8c070d71f77a7a20

SHA1
885853c053a2b6a32a79a77934aaf857ce7455d8

SHA256
572d80f314e31a4a768d0f5b72e3599c8988cdc52f3a2fcdce44a3226ea2a80f

SHA512
51af41bad36d679dda1cea8dbc7685f2dc22d3b1ddd116c5b6a8a430acceab96c0bd56952295c6bda3ff789bfaecfa71af61c4fc64b67905de2264a1dab84d36

Download Submit
C:\Users\Admin\AppData\Local\Temp\rootsupd.exe.exe

Filesize
1.3MB

MD5
e7b6d79b13c5ca44e40a28ea6ef153d8

SHA1
71627669118a0c7961be39266808122e03a5daa3

SHA256
dc544c2a77f394242e2f26acffd4747a484d0a806ce82084b13922ff39582d3c

SHA512
cab6a0e8d465dfcc89fc079cb7779fb0a275c12369b8132a2095b10c69fd9daf81f7980ce0eb3342ded9eadf3f0e075e853293614a23d6b5884213b6deed4f90

Download Submit
memory/2488-30-0x0000000000E00000-0x0000000000F30000-memory.dmp

Filesize
1.2MB

Download
memory/4884-92-0x00007FF86A550000-0x00007FF86B011000-memory.dmp

Filesize
10.8MB

Download
memory/4884-0-0x00007FF86A553000-0x00007FF86A555000-memory.dmp

Filesize
8KB

Download
memory/4884-15-0x00007FF86A550000-0x00007FF86B011000-memory.dmp

Filesize
10.8MB

Download
memory/4884-101-0x00007FF86A550000-0x00007FF86B011000-memory.dmp

Filesize
10.8MB

Download
memory/4884-4-0x0000000002470000-0x0000000002478000-memory.dmp

Filesize
32KB

Download
memory/4884-98-0x000000001C950000-0x000000001D0DE000-memory.dmp

Filesize
7.6MB

Download
memory/4884-2-0x0000000002440000-0x000000000246A000-memory.dmp

Filesize
168KB

Download
memory/4884-1-0x0000000000270000-0x00000000003EE000-memory.dmp

Filesize
1.5MB

Download
memory/4884-91-0x00007FF86A553000-0x00007FF86A555000-memory.dmp

Filesize
8KB

Download
memory/4992-18-0x00007FF86A550000-0x00007FF86B011000-memory.dmp

Filesize
10.8MB

Download
memory/4992-93-0x00007FF86A550000-0x00007FF86B011000-memory.dmp

Filesize
10.8MB

Download
memory/4992-97-0x00007FF86A550000-0x00007FF86B011000-memory.dmp

Filesize
10.8MB

Download
memory/4992-19-0x00007FF86A550000-0x00007FF86B011000-memory.dmp

Filesize
10.8MB

Download
memory/4992-16-0x00000000006B0000-0x0000000000808000-memory.dmp

Filesize
1.3MB

Download