hawkeye | 4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b

Resubmissions

26-09-2024 23:50

240926-3vls2avamn 10

27-08-2024 13:26

240827-qpnzzsvblm 10

Analysis

max time kernel
132s
max time network
130s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 13:26

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
Size

705KB
MD5

c515a556d7cc1fb7a476fb0fb1aadaaa
SHA1

c5690d2abee36e06c2c40dceba693bc7eeeda7be
SHA256

4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b
SHA512

ceb6047816345ad1767698982d448d48accc1e9b22f0fb7ca9c9233444523531b9ef672041dc73ce6a6b6f22fd7263ca882d6fb19288d0dd726cb7c0eb94a1a2
SSDEEP

12288:0J0unggMGIwHJo8spfSPFWHw2Y8ZKk8mZfurZB+n3mfYBkU4f5YNmmh8o:luoG9priSPFWHw2Y8ZK5d22fYBkU4f5q

Score

10^/10

hawkeye netwire botnet collection credential_access discovery keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
yoqmiiwhxyjcorck

Extracted

Family

netwire

greatking.freeddns.org:3362

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NetWire RAT payload 7 IoCs

rat

Processes:

resource	yara_rule
behavioral2/memory/2636-39-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/4988-95-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/456-134-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/4368-212-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/440-246-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/3092-554-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral2/memory/5072-581-0x0000000000400000-0x0000000000423000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire
Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral2/memory/884-271-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/884-272-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral2/memory/884-274-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral2/memory/884-271-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/884-272-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral2/memory/884-274-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

Blocklisted process makes network request 4 IoCs

Processes:

flow	pid	Process
176	4900
241	1452
242	1452
243	1452

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

App.exeApp.exeApp.exeHost.exeApp.exeApp.exeHost.exeApp.exeHost.exeHost.exec515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exeHost.exeApp.exeHost.exeApp.exeApp.exeHost.exeApp.exeApp.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeHost.exeApp.exeHost.exeHost.exeHost.exeApp.exeHost.exeApp.execoded.exeHost.exeHost.exeHost.exeHost.exeHost.exeApp.exeApp.exeHost.exeApp.exeHost.exeApp.exeApp.exeHost.exeHost.exeHost.exeHost.exeHost.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	coded.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe

Executes dropped EXE 64 IoCs

Processes:

coded.exeApp.execoded.exeApp.exeHost.exeWindows Update.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeApp.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.exe

pid	Process
3648	coded.exe
2220	App.exe
232	coded.exe
2636	App.exe
4924	Host.exe
3100	Windows Update.exe
440	coded.exe
2128	App.exe
4776	coded.exe
4988	App.exe
4532	Host.exe
3688	coded.exe
1360	App.exe
3264	coded.exe
456	App.exe
628	Host.exe
1028	coded.exe
1560	App.exe
2244	coded.exe
464	App.exe
1000	Host.exe
3484	coded.exe
3312	App.exe
4276	coded.exe
4368	App.exe
2700	Host.exe
1360	coded.exe
2220	App.exe
4968	coded.exe
4712	App.exe
4060	App.exe
440	App.exe
5040	Host.exe
3472	coded.exe
4056	App.exe
4776	coded.exe
1792	App.exe
2008	Host.exe
4528	coded.exe
2152	App.exe
4824	coded.exe
3596	App.exe
3592	App.exe
4900	Host.exe
2420	coded.exe
2220	App.exe
4296	coded.exe
3484	App.exe
1824	Host.exe
5016	coded.exe
4592	App.exe
4924	coded.exe
3356	App.exe
3516	Host.exe
2156	coded.exe
2916	App.exe
3564	coded.exe
1848	App.exe
8	Host.exe
1640	coded.exe
440	App.exe
3548	coded.exe
3244	App.exe
3872	Host.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2636-36-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2636-38-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/2636-39-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4988-95-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4988-94-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/456-134-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4368-212-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/4368-211-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/440-246-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/440-245-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3092-553-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/3092-554-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral2/memory/5072-581-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 1 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow	ioc
11	checkip.dyndns.org

Suspicious use of SetThreadContext 64 IoCs

Processes:

App.exeApp.exeApp.exeApp.exeApp.exeApp.exeWindows Update.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exe

description	pid	Process	procid_target
PID 2220 set thread context of 2636	2220	App.exe	98
PID 2128 set thread context of 4988	2128	App.exe	112
PID 1360 set thread context of 456	1360	App.exe	125
PID 1560 set thread context of 464	1560	App.exe	138
PID 3312 set thread context of 4368	3312	App.exe	152
PID 2220 set thread context of 440	2220	App.exe	167
PID 3100 set thread context of 884	3100	Windows Update.exe	180
PID 4056 set thread context of 1792	4056	App.exe	181
PID 2152 set thread context of 3592	2152	App.exe	195
PID 2220 set thread context of 3484	2220	App.exe	208
PID 4592 set thread context of 3356	4592	App.exe	221
PID 2916 set thread context of 1848	2916	App.exe	234
PID 440 set thread context of 3244	440	App.exe	337
PID 1824 set thread context of 4768	1824	App.exe	261
PID 4804 set thread context of 3532	4804	App.exe	276
PID 4528 set thread context of 2156	4528	App.exe	290
PID 5072 set thread context of 936	5072	App.exe	304
PID 3100 set thread context of 4040	3100	Windows Update.exe	310
PID 4448 set thread context of 3092	4448	App.exe	318
PID 3296 set thread context of 5072	3296	App.exe	332
PID 3244 set thread context of 2432	3244	App.exe	345
PID 4944 set thread context of 1700	4944	App.exe	362
PID 4460 set thread context of 4936	4460	App.exe	444
PID 1400 set thread context of 2004	1400	App.exe	391
PID 4508 set thread context of 2320	4508	App.exe	404
PID 388 set thread context of 4732	388	App.exe	501
PID 3000 set thread context of 1584	3000	App.exe	430
PID 2456 set thread context of 4936	2456	App.exe	444
PID 3320 set thread context of 4356	3320	App.exe	457
PID 4512 set thread context of 2548	4512	App.exe	470
PID 4532 set thread context of 3460	4532	App.exe	485
PID 4944 set thread context of 1868	4944	App.exe	552
PID 232 set thread context of 4128	232	App.exe	511
PID 3144 set thread context of 4288	3144	App.exe	524
PID 3420 set thread context of 60	3420	App.exe	594
PID 3008 set thread context of 4492	3008	App.exe	550
PID 3548 set thread context of 4464	3548	App.exe	563
PID 3568 set thread context of 1608	3568	App.exe	661
PID 3992 set thread context of 1400	3992	App.exe	649
PID 3460 set thread context of 1896	3460	App.exe	606
PID 464 set thread context of 3896	464	App.exe	619
PID 1348 set thread context of 3864	1348	App.exe	634
PID 812 set thread context of 3312	812	App.exe	647
PID 880 set thread context of 1348	880	App.exe	688
PID 3568 set thread context of 4368	3568	App.exe	673
PID 2060 set thread context of 4048	2060	App.exe	743
PID 1680 set thread context of 4684	1680	App.exe	756
PID 2380 set thread context of 232	2380	App.exe	713
PID 1828 set thread context of 1636	1828	App.exe	726
PID 1104 set thread context of 716	1104	App.exe	739
PID 4544 set thread context of 3424	4544	App.exe	752
PID 3680 set thread context of 2720	3680	App.exe	765
PID 3916 set thread context of 1504	3916	App.exe	779
PID 3968 set thread context of 3748	3968	App.exe	823
PID 2436 set thread context of 4768	2436	App.exe	836
PID 3564 set thread context of 5116	3564	App.exe	819
PID 3928 set thread context of 3544	3928	App.exe	832
PID 2824 set thread context of 5040	2824	App.exe	846
PID 3968 set thread context of 4828	3968	App.exe	860
PID 4612 set thread context of 1152	4612	App.exe	873
PID 448 set thread context of 3484	448	App.exe	886
PID 2604 set thread context of 4756	2604	App.exe	899
PID 3104 set thread context of 4556	3104	App.exe	980
PID 4312 set thread context of 692	4312	App.exe	925

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

cmd.exeApp.execmd.execoded.execmd.execoded.exeApp.exeApp.execmd.execmd.execoded.execoded.exeschtasks.exeschtasks.exeschtasks.execmd.exeApp.execoded.execmd.execmd.exeschtasks.execmd.exeHost.exeschtasks.execmd.exeApp.execmd.exeHost.exeschtasks.exeschtasks.execoded.exeHost.execmd.exeschtasks.exeApp.execoded.execmd.execmd.execmd.exeApp.exeHost.exeschtasks.exeApp.exeschtasks.exeApp.execmd.exeApp.exeschtasks.execmd.exeApp.execmd.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	Process
4328
760	schtasks.exe
3264	schtasks.exe
4616	schtasks.exe
1912	schtasks.exe
4256	schtasks.exe
3808	schtasks.exe
2320	schtasks.exe
1688	schtasks.exe
2264
2432
4712	schtasks.exe
4796	schtasks.exe
4132	schtasks.exe
432	schtasks.exe
3680	schtasks.exe
4900	schtasks.exe
1100	schtasks.exe
3908	schtasks.exe
4520	schtasks.exe
464	schtasks.exe
4692	schtasks.exe
2668
5068
1000	schtasks.exe
4928	schtasks.exe
4732	schtasks.exe
1096
3488	schtasks.exe
1920	schtasks.exe
1176
5092	schtasks.exe
4868	schtasks.exe
4520	schtasks.exe
2208	schtasks.exe
4328
3612	schtasks.exe
1884	schtasks.exe
2368
1000
3692
716	schtasks.exe
3752
2380
2592	schtasks.exe
3968	schtasks.exe
3684	schtasks.exe
1848	schtasks.exe
2840	schtasks.exe
4736	schtasks.exe
2592	schtasks.exe
2380
4944	schtasks.exe
3312	schtasks.exe
740	schtasks.exe
1164	schtasks.exe
3180
3240
464	schtasks.exe
2432	schtasks.exe
5116	schtasks.exe
4036	schtasks.exe
4836
3312

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exe

pid	Process
3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
2220	App.exe
2220	App.exe
4924	Host.exe
4924	Host.exe
2128	App.exe
2128	App.exe
4532	Host.exe
4532	Host.exe
1360	App.exe
1360	App.exe
628	Host.exe
628	Host.exe
1560	App.exe
1560	App.exe
1000	Host.exe
1000	Host.exe
3312	App.exe
3312	App.exe
2700	Host.exe
2700	Host.exe
2220	App.exe
2220	App.exe
5040	Host.exe
5040	Host.exe
4056	App.exe
4056	App.exe
2008	Host.exe
2008	Host.exe
2152	App.exe
2152	App.exe
4900	Host.exe
4900	Host.exe
2220	App.exe
2220	App.exe
1824	Host.exe
1824	Host.exe
4592	App.exe
4592	App.exe
3516	Host.exe
3516	Host.exe
2916	App.exe
2916	App.exe
8	Host.exe
8	Host.exe
440	App.exe
440	App.exe
3872	Host.exe
3872	Host.exe
1824	App.exe
1824	App.exe
4468	Host.exe
4468	Host.exe
4804	App.exe
4804	App.exe
5116	Host.exe
5116	Host.exe
4528	App.exe
4528	App.exe
3928	Host.exe
3928	Host.exe
5072	App.exe
5072	App.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeWindows Update.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exe

description	pid	Process
Token: SeDebugPrivilege	3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
Token: SeDebugPrivilege	2220	App.exe
Token: SeDebugPrivilege	4924	Host.exe
Token: SeDebugPrivilege	2128	App.exe
Token: SeDebugPrivilege	4532	Host.exe
Token: SeDebugPrivilege	1360	App.exe
Token: SeDebugPrivilege	628	Host.exe
Token: SeDebugPrivilege	1560	App.exe
Token: SeDebugPrivilege	1000	Host.exe
Token: SeDebugPrivilege	3100	Windows Update.exe
Token: SeDebugPrivilege	3312	App.exe
Token: SeDebugPrivilege	2700	Host.exe
Token: SeDebugPrivilege	2220	App.exe
Token: SeDebugPrivilege	5040	Host.exe
Token: SeDebugPrivilege	4056	App.exe
Token: SeDebugPrivilege	2008	Host.exe
Token: SeDebugPrivilege	2152	App.exe
Token: SeDebugPrivilege	4900	Host.exe
Token: SeDebugPrivilege	2220	App.exe
Token: SeDebugPrivilege	1824	Host.exe
Token: SeDebugPrivilege	4592	App.exe
Token: SeDebugPrivilege	3516	Host.exe
Token: SeDebugPrivilege	2916	App.exe
Token: SeDebugPrivilege	8	Host.exe
Token: SeDebugPrivilege	440	App.exe
Token: SeDebugPrivilege	3872	Host.exe
Token: SeDebugPrivilege	1824	App.exe
Token: SeDebugPrivilege	4468	Host.exe
Token: SeDebugPrivilege	4804	App.exe
Token: SeDebugPrivilege	5116	Host.exe
Token: SeDebugPrivilege	4528	App.exe
Token: SeDebugPrivilege	3928	Host.exe
Token: SeDebugPrivilege	5072	App.exe
Token: SeDebugPrivilege	3952	Host.exe
Token: SeDebugPrivilege	4448	App.exe
Token: SeDebugPrivilege	824	Host.exe
Token: SeDebugPrivilege	3296	App.exe
Token: SeDebugPrivilege	2676	Host.exe
Token: SeDebugPrivilege	3244	App.exe
Token: SeDebugPrivilege	1480	Host.exe
Token: SeDebugPrivilege	4944	App.exe
Token: SeDebugPrivilege	5028	Host.exe
Token: SeDebugPrivilege	4460	App.exe
Token: SeDebugPrivilege	5056	Host.exe
Token: SeDebugPrivilege	1400	App.exe
Token: SeDebugPrivilege	412	Host.exe
Token: SeDebugPrivilege	4508	App.exe
Token: SeDebugPrivilege	4936	Host.exe
Token: SeDebugPrivilege	388	App.exe
Token: SeDebugPrivilege	3864	Host.exe
Token: SeDebugPrivilege	3000	App.exe
Token: SeDebugPrivilege	2992	Host.exe
Token: SeDebugPrivilege	2456	App.exe
Token: SeDebugPrivilege	1400	Host.exe
Token: SeDebugPrivilege	3320	App.exe
Token: SeDebugPrivilege	3236	Host.exe
Token: SeDebugPrivilege	4512	App.exe
Token: SeDebugPrivilege	2208	Host.exe
Token: SeDebugPrivilege	4532	App.exe
Token: SeDebugPrivilege	1680	Host.exe
Token: SeDebugPrivilege	4944	App.exe
Token: SeDebugPrivilege	3728	Host.exe
Token: SeDebugPrivilege	232	App.exe
Token: SeDebugPrivilege	4924	Host.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid	Process
3100	Windows Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.execmd.exeApp.execmd.execmd.exeApp.execoded.exeHost.execmd.exeApp.execmd.execmd.exe

description	pid	Process	procid_target
PID 3536 wrote to memory of 3648	3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	87
PID 3536 wrote to memory of 3648	3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	87
PID 3536 wrote to memory of 3648	3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	87
PID 3536 wrote to memory of 2712	3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	88
PID 3536 wrote to memory of 2712	3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	88
PID 3536 wrote to memory of 2712	3536	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	88
PID 2712 wrote to memory of 2220	2712	cmd.exe	90
PID 2712 wrote to memory of 2220	2712	cmd.exe	90
PID 2712 wrote to memory of 2220	2712	cmd.exe	90
PID 2220 wrote to memory of 232	2220	App.exe	91
PID 2220 wrote to memory of 232	2220	App.exe	91
PID 2220 wrote to memory of 232	2220	App.exe	91
PID 2220 wrote to memory of 4396	2220	App.exe	92
PID 2220 wrote to memory of 4396	2220	App.exe	92
PID 2220 wrote to memory of 4396	2220	App.exe	92
PID 4396 wrote to memory of 4044	4396	cmd.exe	94
PID 4396 wrote to memory of 4044	4396	cmd.exe	94
PID 4396 wrote to memory of 4044	4396	cmd.exe	94
PID 2220 wrote to memory of 32	2220	App.exe	95
PID 2220 wrote to memory of 32	2220	App.exe	95
PID 2220 wrote to memory of 32	2220	App.exe	95
PID 32 wrote to memory of 3908	32	cmd.exe	97
PID 32 wrote to memory of 3908	32	cmd.exe	97
PID 32 wrote to memory of 3908	32	cmd.exe	97
PID 2220 wrote to memory of 2636	2220	App.exe	98
PID 2220 wrote to memory of 2636	2220	App.exe	98
PID 2220 wrote to memory of 2636	2220	App.exe	98
PID 2220 wrote to memory of 2636	2220	App.exe	98
PID 2220 wrote to memory of 2636	2220	App.exe	98
PID 2220 wrote to memory of 2636	2220	App.exe	98
PID 2220 wrote to memory of 2636	2220	App.exe	98
PID 2220 wrote to memory of 2636	2220	App.exe	98
PID 2636 wrote to memory of 4924	2636	App.exe	99
PID 2636 wrote to memory of 4924	2636	App.exe	99
PID 2636 wrote to memory of 4924	2636	App.exe	99
PID 3648 wrote to memory of 3100	3648	coded.exe	100
PID 3648 wrote to memory of 3100	3648	coded.exe	100
PID 3648 wrote to memory of 3100	3648	coded.exe	100
PID 4924 wrote to memory of 440	4924	Host.exe	135
PID 4924 wrote to memory of 440	4924	Host.exe	135
PID 4924 wrote to memory of 440	4924	Host.exe	135
PID 4924 wrote to memory of 3600	4924	Host.exe	102
PID 4924 wrote to memory of 3600	4924	Host.exe	102
PID 4924 wrote to memory of 3600	4924	Host.exe	102
PID 3600 wrote to memory of 2128	3600	cmd.exe	104
PID 3600 wrote to memory of 2128	3600	cmd.exe	104
PID 3600 wrote to memory of 2128	3600	cmd.exe	104
PID 2128 wrote to memory of 4776	2128	App.exe	105
PID 2128 wrote to memory of 4776	2128	App.exe	105
PID 2128 wrote to memory of 4776	2128	App.exe	105
PID 2128 wrote to memory of 3992	2128	App.exe	106
PID 2128 wrote to memory of 3992	2128	App.exe	106
PID 2128 wrote to memory of 3992	2128	App.exe	106
PID 3992 wrote to memory of 1880	3992	cmd.exe	108
PID 3992 wrote to memory of 1880	3992	cmd.exe	108
PID 3992 wrote to memory of 1880	3992	cmd.exe	108
PID 2128 wrote to memory of 2604	2128	App.exe	109
PID 2128 wrote to memory of 2604	2128	App.exe	109
PID 2128 wrote to memory of 2604	2128	App.exe	109
PID 2604 wrote to memory of 760	2604	cmd.exe	111
PID 2604 wrote to memory of 760	2604	cmd.exe	111
PID 2604 wrote to memory of 760	2604	cmd.exe	111
PID 2128 wrote to memory of 4988	2128	App.exe	112
PID 2128 wrote to memory of 4988	2128	App.exe	112

C:\Users\Admin\AppData\Local\Temp\c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3536
- C:\ProgramData\coded.exe
  "C:\ProgramData\coded.exe"
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:3648
- - C:\Users\Admin\AppData\Roaming\Windows Update.exe
    "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3100
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:884
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\holderwb.txt"
      4⤵
      PID:4040
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2712
- - C:\Users\Admin\AppData\Roaming\App.exe
    "C:\Users\Admin\AppData\Roaming\App.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2220
  - - C:\ProgramData\coded.exe
      "C:\ProgramData\coded.exe"
      4⤵
      Executes dropped EXE
      PID:232
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4396
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        
        PID:4044
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:32
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1392947579.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3908
  - - C:\Users\Admin\AppData\Roaming\App.exe
      "C:\Users\Admin\AppData\Roaming\App.exe "
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:2636
    - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        5⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4924
      - C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        6⤵
        Executes dropped EXE
        
        PID:440
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3600
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:2128
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        8⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:3992
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        9⤵
        
        PID:1880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:2604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\734984439.xml"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        8⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        10⤵
        Executes dropped EXE
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1360
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        12⤵
        Executes dropped EXE
        
        PID:3264
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        13⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\339168132.xml"
        13⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        12⤵
        Executes dropped EXE
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:628
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        14⤵
        Executes dropped EXE
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:960
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1560
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        16⤵
        Executes dropped EXE
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        17⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\833367361.xml"
        17⤵
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        16⤵
        Executes dropped EXE
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1000
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        18⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3312
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        20⤵
        Executes dropped EXE
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        21⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:4684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1208078982.xml"
        21⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        20⤵
        Executes dropped EXE
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2700
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        22⤵
        Executes dropped EXE
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        22⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        23⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        24⤵
        Executes dropped EXE
        
        PID:4968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        24⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        25⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        24⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1507915524.xml"
        25⤵
        
        PID:3404
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        24⤵
        Executes dropped EXE
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        24⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        24⤵
        Executes dropped EXE
        
        PID:440
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        26⤵
        Executes dropped EXE
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        26⤵
        
        PID:2660
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        27⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4056
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        28⤵
        Executes dropped EXE
        
        PID:4776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        28⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        29⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\79424456.xml"
        29⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        28⤵
        Executes dropped EXE
        
        PID:1792
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2008
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        30⤵
        Executes dropped EXE
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        30⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2152
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        32⤵
        Executes dropped EXE
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        32⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        33⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        32⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1292448151.xml"
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        32⤵
        Executes dropped EXE
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        32⤵
        Executes dropped EXE
        
        PID:3592
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4900
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        34⤵
        Executes dropped EXE
        
        PID:2420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        34⤵
        
        PID:2900
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        35⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2220
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        36⤵
        Executes dropped EXE
        
        PID:4296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        36⤵
        
        PID:628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        37⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        36⤵
        
        PID:1700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1479888018.xml"
        37⤵
        
        PID:3952
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        36⤵
        Executes dropped EXE
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        37⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        38⤵
        Executes dropped EXE
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        38⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4592
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        40⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        40⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        41⤵
        
        PID:1000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        40⤵
        
        PID:1456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1735112031.xml"
        41⤵
        
        PID:2756
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        40⤵
        Executes dropped EXE
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3516
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        42⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        42⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2916
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        44⤵
        Executes dropped EXE
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        44⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        45⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        44⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\306620963.xml"
        45⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        44⤵
        Executes dropped EXE
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        45⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:8
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        46⤵
        Executes dropped EXE
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        46⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:440
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        48⤵
        Executes dropped EXE
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        48⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        49⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        48⤵
        
        PID:4048
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\568935909.xml"
        49⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        48⤵
        Executes dropped EXE
        
        PID:3244
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3872
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        50⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        50⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        51⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1824
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        52⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        52⤵
        
        PID:824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        53⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        52⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\412094818.xml"
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4712
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        52⤵
        
        PID:3916
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        52⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        53⤵
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4468
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        54⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        54⤵
        
        PID:5056
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        55⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4804
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        56⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        56⤵
        
        PID:540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        57⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        56⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1864093729.xml"
        57⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        56⤵
        
        PID:3532
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        57⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5116
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        58⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        58⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        59⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4528
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        60⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        60⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        61⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        60⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1587765030.xml"
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        60⤵
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        61⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3928
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        62⤵
        
        PID:3296
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        62⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        63⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        64⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        64⤵
        
        PID:4052
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        65⤵
        System Location Discovery: System Language Discovery
        
        PID:3824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        64⤵
        
        PID:5004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\705008540.xml"
        65⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        64⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        64⤵
        
        PID:936
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3952
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        66⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        66⤵
        
        PID:4132
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        67⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4448
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        68⤵
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        68⤵
        
        PID:4388
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:4268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        69⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        68⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\728348270.xml"
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3264
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        68⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        69⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:824
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        70⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        70⤵
        
        PID:3872
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        71⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3296
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        72⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        72⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        73⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        72⤵
        System Location Discovery: System Language Discovery
        
        PID:3996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\257656884.xml"
        73⤵
        
        PID:3820
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        72⤵
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        73⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2676
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        74⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        74⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        75⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        76⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        76⤵
        
        PID:3104
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        77⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        76⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\864252788.xml"
        77⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        76⤵
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        77⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1480
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        78⤵
        
        PID:3724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        78⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        80⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        80⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        81⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        80⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1283576938.xml"
        81⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5092
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        80⤵
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        80⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        80⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        81⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5028
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        82⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        82⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4460
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        84⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        84⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        85⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        84⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1883081909.xml"
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1000
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        84⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        84⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        84⤵
        
        PID:3944
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        85⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:5056
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        86⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        86⤵
        
        PID:2660
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        87⤵
        
        PID:3436
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        87⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        88⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        88⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        89⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        88⤵
        
        PID:1452
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        89⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1951034168.xml"
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        88⤵
        
        PID:2004
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        89⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:412
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        90⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        90⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        91⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4508
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        92⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        92⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        93⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        92⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1787102144.xml"
        93⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4616
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        92⤵
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        93⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4936
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        94⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        94⤵
        
        PID:3616
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        95⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:388
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        96⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        96⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        97⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        96⤵
        
        PID:1764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\552973763.xml"
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        96⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        97⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3864
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        98⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        98⤵
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        99⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3000
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        100⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        100⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        101⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        100⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1698213312.xml"
        101⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4928
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        100⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        101⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        102⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        102⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        103⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2456
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        104⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        104⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        105⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        104⤵
        
        PID:4572
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1766165571.xml"
        105⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        104⤵
        
        PID:4936
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        105⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1400
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        106⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        106⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        107⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3320
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        108⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        108⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        109⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        108⤵
        
        PID:692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1834117830.xml"
        109⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        108⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        109⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3236
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        110⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        110⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:4460
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        111⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4512
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        112⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        112⤵
        
        PID:5100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        113⤵
        System Location Discovery: System Language Discovery
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        112⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\480501841.xml"
        113⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        112⤵
        
        PID:2548
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        113⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:2208
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        114⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        114⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        116⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        116⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        117⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        116⤵
        
        PID:880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1005131733.xml"
        117⤵
        
        PID:3968
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        116⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        116⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        117⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        118⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        118⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        119⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4944
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        120⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        120⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        121⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        120⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\347168593.xml"
        121⤵
        
        PID:3212
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        120⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        121⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:3728
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        122⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        122⤵
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        123⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:232
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        124⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        124⤵
        
        PID:3260
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        125⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        124⤵
        
        PID:2432
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\534608460.xml"
        125⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        124⤵
        
        PID:4128
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        125⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4924
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        126⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        126⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:3144
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        128⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        128⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        128⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\789832473.xml"
        129⤵
        
        PID:4804
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        128⤵
        System Location Discovery: System Language Discovery
        
        PID:4288
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        129⤵
        Checks computer location settings
        
        PID:3928
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        130⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        130⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        131⤵
        Suspicious use of SetThreadContext
        
        PID:3420
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        132⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        132⤵
        
        PID:1400
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        133⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        133⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        132⤵
        
        PID:4368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2047468697.xml"
        133⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        132⤵
        
        PID:60
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        133⤵
        
        PID:2020
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        134⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        134⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        135⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:3008
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        136⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        136⤵
        
        PID:4004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        137⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        136⤵
        
        PID:448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1808661594.xml"
        137⤵
        
        PID:5004
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        136⤵
        
        PID:4492
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        137⤵
        
        PID:4572
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        138⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        138⤵
        
        PID:3484
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        139⤵
        
        PID:2468
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        139⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3548
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        140⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        140⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        141⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        140⤵
        
        PID:3080
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\73411164.xml"
        141⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        140⤵
        
        PID:4464
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        141⤵
        
        PID:3104
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        142⤵
        
        PID:3872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        142⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        143⤵
        Suspicious use of SetThreadContext
        
        PID:3568
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        144⤵
        
        PID:100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        144⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        145⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        144⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\979675497.xml"
        145⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        144⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        144⤵
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        145⤵
        
        PID:3436
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        146⤵
        
        PID:4868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        146⤵
        
        PID:4384
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        147⤵
        Suspicious use of SetThreadContext
        
        PID:3992
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        148⤵
        
        PID:3892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        148⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        149⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        148⤵
        
        PID:3524
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        149⤵
        
        PID:412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\628471719.xml"
        149⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        148⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        148⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        148⤵
        
        PID:1400
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        149⤵
        Checks computer location settings
        
        PID:3864
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        150⤵
        
        PID:60
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        150⤵
        
        PID:2692
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        151⤵
        Suspicious use of SetThreadContext
        
        PID:3460
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        152⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        152⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        153⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        152⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1040704936.xml"
        153⤵
        
        PID:1412
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        152⤵
        
        PID:1896
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        153⤵
        
        PID:4600
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        154⤵
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        154⤵
        
        PID:1124
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        155⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:464
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        156⤵
        
        PID:3424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        156⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        157⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        156⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        157⤵
        
        PID:3524
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2073547810.xml"
        157⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        156⤵
        
        PID:3896
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        157⤵
        Checks computer location settings
        
        PID:1196
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        158⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        158⤵
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        159⤵
        Suspicious use of SetThreadContext
        
        PID:1348
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        160⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        160⤵
        
        PID:2320
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        161⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        160⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1146178791.xml"
        161⤵
        
        PID:3420
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        160⤵
        
        PID:3728
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        160⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        160⤵
        
        PID:3864
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        161⤵
        Checks computer location settings
        
        PID:1636
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        162⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        162⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        163⤵
        Suspicious use of SetThreadContext
        
        PID:812
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        164⤵
        System Location Discovery: System Language Discovery
        
        PID:536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        164⤵
        
        PID:692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        165⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        164⤵
        
        PID:412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2014921528.xml"
        165⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        164⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        165⤵
        System Location Discovery: System Language Discovery
        
        PID:3544
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        166⤵
        
        PID:1400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        166⤵
        System Location Discovery: System Language Discovery
        
        PID:4824
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        167⤵
        Suspicious use of SetThreadContext
        
        PID:880
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        168⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        168⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        169⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        168⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1858080437.xml"
        169⤵
        
        PID:2900
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        168⤵
        
        PID:1348
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        169⤵
        
        PID:1608
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        170⤵
        
        PID:3784
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        170⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        171⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:3568
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        172⤵
        
        PID:3564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        172⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        173⤵
        
        PID:3260
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        172⤵
        
        PID:2008
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        173⤵
        
        PID:3664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\197705086.xml"
        173⤵
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        172⤵
        
        PID:4368
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        173⤵
        
        PID:4736
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        174⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        174⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        175⤵
        Suspicious use of SetThreadContext
        
        PID:2060
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        176⤵
        
        PID:716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        176⤵
        
        PID:2160
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        177⤵
        
        PID:2548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        177⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        176⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\916697665.xml"
        177⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        176⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        177⤵
        
        PID:2156
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        178⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        178⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        179⤵
        Suspicious use of SetThreadContext
        
        PID:1680
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        180⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        180⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        181⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        180⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1104137532.xml"
        181⤵
        
        PID:1052
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        180⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        180⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        181⤵
        
        PID:4944
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        182⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        182⤵
        
        PID:2364
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        183⤵
        Suspicious use of SetThreadContext
        
        PID:2380
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        184⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        184⤵
        
        PID:432
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        185⤵
        
        PID:4056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        184⤵
        
        PID:2428
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        185⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1710733436.xml"
        185⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        184⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        185⤵
        
        PID:2908
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        186⤵
        
        PID:3512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        186⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        187⤵
        Suspicious use of SetThreadContext
        
        PID:1828
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        188⤵
        
        PID:1152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        188⤵
        
        PID:3244
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        189⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        189⤵
        
        PID:412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        188⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\476605055.xml"
        189⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:464
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        188⤵
        
        PID:1636
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        189⤵
        
        PID:3320
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        190⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        190⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        191⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1104
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        192⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        192⤵
        
        PID:4460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        193⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        192⤵
        System Location Discovery: System Language Discovery
        
        PID:3704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1195597634.xml"
        193⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2840
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        192⤵
        
        PID:716
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        193⤵
        
        PID:3728
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        194⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        194⤵
        
        PID:3724
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        195⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        195⤵
        Suspicious use of SetThreadContext
        
        PID:4544
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        196⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        196⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        197⤵
        
        PID:4892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        196⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\186262603.xml"
        197⤵
        
        PID:1848
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        196⤵
        
        PID:3424
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        197⤵
        
        PID:2604
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        198⤵
        
        PID:4384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        198⤵
        
        PID:4616
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        199⤵
        
        PID:4684
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        199⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3680
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        200⤵
        
        PID:4172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        200⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        201⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        200⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\366611537.xml"
        201⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        200⤵
        
        PID:2720
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        201⤵
        
        PID:1620
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        202⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        202⤵
        
        PID:3444
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        203⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:3916
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        204⤵
        
        PID:3176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        204⤵
        
        PID:412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        205⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:2392
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        205⤵
        
        PID:464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\90282838.xml"
        205⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        204⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        204⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        205⤵
        Checks computer location settings
        
        PID:2012
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        206⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        206⤵
        
        PID:1644
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        207⤵
        Suspicious use of SetThreadContext
        
        PID:3968
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        208⤵
        
        PID:1584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        208⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        209⤵
        
        PID:3212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        208⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1998959382.xml"
        209⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        208⤵
        
        PID:3704
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        208⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        209⤵
        
        PID:3664
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        210⤵
        
        PID:3656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        210⤵
        System Location Discovery: System Language Discovery
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        211⤵
        Suspicious use of SetThreadContext
        
        PID:2436
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        212⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        212⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        213⤵
        
        PID:1896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        212⤵
        
        PID:812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1460483850.xml"
        213⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        212⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        213⤵
        Checks computer location settings
        
        PID:4736
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        214⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        214⤵
        
        PID:4924
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        215⤵
        Suspicious use of SetThreadContext
        
        PID:3564
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        216⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        216⤵
        
        PID:4108
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        217⤵
        
        PID:2992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        216⤵
        
        PID:2548
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        217⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\870304856.xml"
        217⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4036
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        216⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        217⤵
        Checks computer location settings
        
        PID:1584
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        218⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        218⤵
        
        PID:2232
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        219⤵
        
        PID:3748
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        219⤵
        Suspicious use of SetThreadContext
        
        PID:3928
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        220⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        220⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        221⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        220⤵
        
        PID:4204
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        221⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1896056797.xml"
        221⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        220⤵
        
        PID:3544
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        221⤵
        
        PID:2680
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        222⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        222⤵
        
        PID:4732
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        223⤵
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        223⤵
        Suspicious use of SetThreadContext
        
        PID:2824
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        224⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        224⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        225⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:2320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\467565729.xml"
        225⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        224⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        224⤵
        
        PID:5040
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        225⤵
        
        PID:3092
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        226⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        226⤵
        
        PID:4508
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        227⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        227⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:3968
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        228⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        228⤵
        
        PID:3608
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        229⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        229⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        228⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1844689561.xml"
        229⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4256
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        228⤵
        
        PID:536
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        228⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        229⤵
        
        PID:2780
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        230⤵
        
        PID:3680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        230⤵
        
        PID:3928
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        231⤵
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        231⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:4612
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        232⤵
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        232⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        233⤵
        
        PID:4756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        232⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\528595168.xml"
        233⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        232⤵
        
        PID:1152
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        233⤵
        
        PID:3520
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        234⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        234⤵
        
        PID:3472
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        235⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        235⤵
        Suspicious use of SetThreadContext
        
        PID:448
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        236⤵
        
        PID:3612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        236⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        237⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        236⤵
        
        PID:3264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1015703464.xml"
        237⤵
        
        PID:1416
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        236⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        237⤵
        Checks computer location settings
        
        PID:1896
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        238⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        238⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        239⤵
        Suspicious use of SetThreadContext
        
        PID:2604
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        240⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        240⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        241⤵
        
        PID:2068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        240⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\889293036.xml"
        241⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        240⤵
        
        PID:4756
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        241⤵
        
        PID:1412
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        242⤵
        
        PID:3024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        242⤵
        
        PID:896
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        243⤵
        Suspicious use of SetThreadContext
        
        PID:3104
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        244⤵
        System Location Discovery: System Language Discovery
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        244⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        245⤵
        System Location Discovery: System Language Discovery
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        244⤵
        
        PID:1096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1608285615.xml"
        245⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4132
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        244⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        245⤵
        
        PID:624
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        246⤵
        
        PID:4760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        246⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        247⤵
        Suspicious use of SetThreadContext
        
        PID:4312
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        248⤵
        
        PID:1924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        248⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        249⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        248⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1795725482.xml"
        249⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        248⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        249⤵
        
        PID:3648
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        250⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        250⤵
        
        PID:2752
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        251⤵
        
        PID:1896
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        252⤵
        
        PID:4128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        252⤵
        
        PID:4584
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        253⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        252⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2088471091.xml"
        253⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        252⤵
        
        PID:2824
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        252⤵
        
        PID:3312
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        253⤵
        System Location Discovery: System Language Discovery
        
        PID:456
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        254⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        254⤵
        
        PID:3460
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        255⤵
        Checks computer location settings
        
        PID:3616
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        256⤵
        
        PID:3444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        256⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        257⤵
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        256⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\90905715.xml"
        257⤵
        
        PID:2148
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        256⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        257⤵
        Checks computer location settings
        
        PID:3724
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        258⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        258⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        259⤵
        Checks computer location settings
        
        PID:4288
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        260⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        260⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        261⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        260⤵
        
        PID:1584
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        261⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\428095740.xml"
        261⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2432
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        260⤵
        
        PID:4708
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        261⤵
        
        PID:4924
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        262⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        262⤵
        
        PID:1452
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        263⤵
        Checks computer location settings
        
        PID:1896
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        264⤵
        System Location Discovery: System Language Discovery
        
        PID:1952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        264⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        265⤵
        
        PID:4684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        264⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1116657656.xml"
        265⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        264⤵
        
        PID:3524
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        265⤵
        
        PID:2232
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        266⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        266⤵
        
        PID:3140
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        267⤵
        
        PID:3616
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        268⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        268⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        269⤵
        
        PID:4496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        268⤵
        
        PID:2864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1805219572.xml"
        269⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:432
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        268⤵
        
        PID:2272
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        268⤵
        
        PID:4408
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        269⤵
        Checks computer location settings
        
        PID:3316
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        270⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        270⤵
        
        PID:3928
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        271⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:4788
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        272⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        272⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        273⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        272⤵
        
        PID:4248
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        273⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1723253560.xml"
        273⤵
        
        PID:1456
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        272⤵
        
        PID:3236
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        272⤵
        
        PID:2420
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        273⤵
        
        PID:1608
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        274⤵
        
        PID:1336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        274⤵
        
        PID:1436
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        275⤵
        
        PID:5036
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        276⤵
        
        PID:816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        276⤵
        
        PID:368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        277⤵
        
        PID:4328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        276⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1102643903.xml"
        277⤵
        
        PID:3516
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        276⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        277⤵
        
        PID:2068
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        278⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        278⤵
        
        PID:3176
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        279⤵
        
        PID:4048
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        279⤵
        Checks computer location settings
        
        PID:100
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        280⤵
        System Location Discovery: System Language Discovery
        
        PID:960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        280⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        281⤵
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        280⤵
        
        PID:2780
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        281⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1791205819.xml"
        281⤵
        
        PID:3276
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        280⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        281⤵
        Checks computer location settings
        
        PID:3872
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        282⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        282⤵
        
        PID:4668
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        283⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        283⤵
        Checks computer location settings
        
        PID:1644
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        284⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        284⤵
        
        PID:1828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        285⤵
        
        PID:4444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        284⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1709239807.xml"
        285⤵
        
        PID:1912
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        284⤵
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        285⤵
        Checks computer location settings
        
        PID:4868
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        286⤵
        
        PID:4508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        286⤵
        
        PID:5036
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        287⤵
        
        PID:816
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        288⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        288⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        289⤵
        
        PID:3720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        288⤵
        
        PID:2060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\250318076.xml"
        289⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3680
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        288⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        289⤵
        
        PID:2144
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        290⤵
        
        PID:3460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        290⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        291⤵
        
        PID:960
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        292⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        292⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        293⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        292⤵
        
        PID:3532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\168352064.xml"
        293⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        292⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        293⤵
        
        PID:2952
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        294⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        294⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        295⤵
        
        PID:4108
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        295⤵
        Checks computer location settings
        
        PID:3872
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        296⤵
        
        PID:3536
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        296⤵
        
        PID:3520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        297⤵
        
        PID:368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        297⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        296⤵
        
        PID:536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\505542089.xml"
        297⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1100
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        296⤵
        
        PID:4196
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        297⤵
        
        PID:3008
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        298⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        298⤵
        
        PID:4800
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        299⤵
        Checks computer location settings
        
        PID:3276
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        300⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        300⤵
        
        PID:4312
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        301⤵
        
        PID:3864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        301⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        300⤵
        
        PID:3316
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        301⤵
        
        PID:3312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\999741318.xml"
        301⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        300⤵
        
        PID:400
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        301⤵
        
        PID:4404
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        302⤵
        
        PID:3300
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        302⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        303⤵
        
        PID:4288
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        304⤵
        
        PID:452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        304⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        305⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        304⤵
        
        PID:2712
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        305⤵
        
        PID:3104
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\955296902.xml"
        305⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        304⤵
        
        PID:1780
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        305⤵
        
        PID:4512
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        306⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        306⤵
        
        PID:3356
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        307⤵
        
        PID:2240
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        308⤵
        
        PID:812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        308⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        309⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        308⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1906173764.xml"
        309⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        308⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        308⤵
        
        PID:4828
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        309⤵
        Checks computer location settings
        
        PID:3308
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        310⤵
        
        PID:4924
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        310⤵
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        311⤵
        
        PID:2068
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        312⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        312⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        313⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        312⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1390869849.xml"
        313⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4732
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        312⤵
        
        PID:2392
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        313⤵
        
        PID:2156
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        314⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        314⤵
        
        PID:4056
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        315⤵
        
        PID:3836
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        316⤵
        
        PID:880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        316⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        317⤵
        
        PID:5028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        316⤵
        
        PID:1196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\732906709.xml"
        317⤵
        
        PID:4320
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        316⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        317⤵
        
        PID:4196
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        318⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        318⤵
        
        PID:2020
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        319⤵
        
        PID:4520
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        319⤵
        
        PID:5000
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        320⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        320⤵
        
        PID:412
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        321⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        321⤵
        
        PID:428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        320⤵
        
        PID:3864
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        321⤵
        
        PID:1620
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\494099606.xml"
        321⤵
        
        PID:4248
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        320⤵
        
        PID:4348
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        321⤵
        
        PID:3452
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        322⤵
        
        PID:3236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        322⤵
        
        PID:1896
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        323⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        323⤵
        
        PID:716
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        324⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        324⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        325⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        324⤵
        
        PID:3516
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        325⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\360598245.xml"
        325⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2208
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        324⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        325⤵
        
        PID:1644
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        326⤵
        
        PID:3952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        326⤵
        
        PID:2820
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        327⤵
        
        PID:1196
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        327⤵
        System Location Discovery: System Language Discovery
        
        PID:1528
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        328⤵
        
        PID:4824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        328⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        329⤵
        
        PID:3808
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        328⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1004715745.xml"
        329⤵
        
        PID:1824
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        328⤵
        
        PID:3612
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        328⤵
        
        PID:2020
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        328⤵
        
        PID:1584
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        328⤵
        
        PID:3812
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        328⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        329⤵
        
        PID:3460
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        330⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        330⤵
        
        PID:3708
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        331⤵
        
        PID:3724
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        331⤵
        
        PID:812
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        332⤵
        
        PID:4276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        332⤵
        
        PID:3244
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        333⤵
        
        PID:4788
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        332⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1416948962.xml"
        333⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2320
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        332⤵
        
        PID:3180
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        333⤵
        
        PID:3512
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        334⤵
        
        PID:3172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        334⤵
        
        PID:2676
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        335⤵
        
        PID:4944
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        335⤵
        
        PID:2164
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        336⤵
        
        PID:3896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        336⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        337⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        336⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\833860901.xml"
        337⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        336⤵
        System Location Discovery: System Language Discovery
        
        PID:5100
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        337⤵
        Checks computer location settings
        
        PID:3944
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        338⤵
        
        PID:2916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        338⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        339⤵
        
        PID:1920
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        340⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        340⤵
        
        PID:552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        341⤵
        
        PID:3436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        340⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\131285232.xml"
        341⤵
        
        PID:1040
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        340⤵
        
        PID:3648
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        340⤵
        
        PID:2456
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        341⤵
        Checks computer location settings
        
        PID:4756
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        342⤵
        
        PID:4464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        342⤵
        System Location Discovery: System Language Discovery
        
        PID:3008
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        343⤵
        
        PID:3024
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        344⤵
        
        PID:3180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        344⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        345⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        344⤵
        
        PID:4108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        345⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1740293347.xml"
        345⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        344⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        345⤵
        
        PID:1176
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        346⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        346⤵
        
        PID:4832
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        347⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        347⤵
        System Location Discovery: System Language Discovery
        
        PID:3504
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        348⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        348⤵
        
        PID:3820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        349⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        348⤵
        System Location Discovery: System Language Discovery
        
        PID:2780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\499074033.xml"
        349⤵
        
        PID:2592
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        348⤵
        
        PID:4332
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        349⤵
        
        PID:2148
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        350⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        350⤵
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        351⤵
        
        PID:3144
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        352⤵
        
        PID:4828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        352⤵
        
        PID:2144
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        353⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        352⤵
        
        PID:4692
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        353⤵
        
        PID:3708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\679422967.xml"
        353⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1164
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        352⤵
        
        PID:2228
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        353⤵
        
        PID:3308
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        354⤵
        
        PID:3752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        354⤵
        
        PID:2860
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        355⤵
        
        PID:4052
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        356⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        356⤵
        
        PID:2208
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        357⤵
        
        PID:464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        356⤵
        
        PID:456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1592778233.xml"
        357⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3488
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        356⤵
        
        PID:368
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        356⤵
        
        PID:2952
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        356⤵
        
        PID:3792
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        356⤵
        
        PID:1104
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        357⤵
        Checks computer location settings
        
        PID:2908
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        358⤵
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        358⤵
        
        PID:3176
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        359⤵
        
        PID:2660
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        360⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        360⤵
        System Location Discovery: System Language Discovery
        
        PID:3140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        361⤵
        
        PID:4012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        360⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2124499058.xml"
        361⤵
        
        PID:4372
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        360⤵
        
        PID:2920
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        360⤵
        
        PID:4600
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        361⤵
        
        PID:4532
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        362⤵
        
        PID:3472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        362⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        363⤵
        Checks computer location settings
        
        PID:3676
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        364⤵
        System Location Discovery: System Language Discovery
        
        PID:3144
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        364⤵
        
        PID:2532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        365⤵
        System Location Discovery: System Language Discovery
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        364⤵
        System Location Discovery: System Language Discovery
        
        PID:1412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\890370677.xml"
        365⤵
        
        PID:3596
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        364⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        365⤵
        
        PID:2068
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        366⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        366⤵
        
        PID:4356
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        367⤵
        
        PID:4708
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        368⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        368⤵
        
        PID:60
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        369⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        368⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\523254.xml"
        369⤵
        
        PID:2428
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        368⤵
        
        PID:3808
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        369⤵
        Checks computer location settings
        
        PID:4688
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        370⤵
        
        PID:3736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        370⤵
        System Location Discovery: System Language Discovery
        
        PID:4768
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        371⤵
        
        PID:2436
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        372⤵
        
        PID:1388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        372⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        373⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        372⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\68475513.xml"
        373⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1920
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        372⤵
        
        PID:760
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        373⤵
        
        PID:1400
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        374⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        374⤵
        System Location Discovery: System Language Discovery
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        375⤵
        Checks computer location settings
        
        PID:5068
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        376⤵
        
        PID:3676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        376⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        377⤵
        
        PID:4360

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe 9c6c9fec8b0d9054439cd097646c9d69 Tw1AS01FMkSSem91407m/A.0.1.0.0.0
1⤵
PID:2420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k netsvcs -p -s UsoSvc
1⤵
PID:540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Email Collection

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\coded.exe

Filesize
413KB

MD5
6f4527c944a09f03e5305f5703289da2

SHA1
08c05780d832707e88b3b37290d80f3d00e74157

SHA256
2070b034b0fad170c6d7b07f0ea417bd975cc97a74269cdebff9fb17b0843326

SHA512
d61aa7d56ee8989c86c201461cf6729efb87ca84cc1d31ea2928f50229ab621df0d7e0d21b14ef9a97185c7a225b9dccb983a3a72c035cee58c11e41740a0f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\coded.exe.log

Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\App.exe.log

Filesize
418B

MD5
2f51ee33b74ab710e289b65a7b580c9b

SHA1
031f919473e89c4a463360c7a898fda986836470

SHA256
bdb480893a7d1acc95b67f49dd12a0c1f69b75d1908536d0cc1350ebfbb5cc58

SHA512
927bd82da2cc751b6b2c97efc33019b8977f2d78d467b363cf609e27a3ac8986e0b4c3b4d025be9fe87f50db51285b115b97ae7d0ae642daae2910d44ad9ec5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\1392947579.xml

Filesize
1KB

MD5
6a65257cf4513585ac0d3d2fe3f0f012

SHA1
99b38d197c60075e5311944c04c2d45197a63e55

SHA256
782ea635c06ed294a4cef4d7840ba860a08aa459bbdd396926aef94cc08c57eb

SHA512
dbdbcc84ea170a88ba2a320c72f05009421c61f0104307bc3a012f32f9e2b14a5eb62b3cb9d897ae2d0d7b38cdfc065038675d0882d3b2614dfbdc21a9c76ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
24B

MD5
717d227537a0be6a697f3badec5895c8

SHA1
8df80636d0a80d54ac950df4eae550c12bcfd82f

SHA256
0b4d17c6136ea4248f345cd61e0cb19908ee1a519959385151cc10043f7957d1

SHA512
5ae0a10530bb7dc828eb41ef8e50974426fb5fb2af9112804d15b8f31b0941579b934dbac5ebce01aeaacc48dbcac4378cd1d865c47ecbdf34631e6cb86fc73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt

Filesize
48B

MD5
d7fe3f3fd6d7fc891a51fb1ef6014e0e

SHA1
70513c15819eb9ee9a78184717e82fb35827a019

SHA256
542fb9c0cad223be6decd0ed02789288029cf793d60bce350df537fadfd53358

SHA512
f44035ea6da2f26552e47be1b5eb667ead26bf15b74012e1b7943d71c55e358846fe176bfdfa56a266411457ba11e0f25fc4381eef49d80dc21dc52fc8aab50d

Download Submit
C:\Users\Admin\AppData\Roaming\App.exe

Filesize
705KB

MD5
c515a556d7cc1fb7a476fb0fb1aadaaa

SHA1
c5690d2abee36e06c2c40dceba693bc7eeeda7be

SHA256
4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b

SHA512
ceb6047816345ad1767698982d448d48accc1e9b22f0fb7ca9c9233444523531b9ef672041dc73ce6a6b6f22fd7263ca882d6fb19288d0dd726cb7c0eb94a1a2

Download Submit
memory/440-246-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/440-245-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/456-134-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/884-274-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/884-271-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/884-272-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2220-25-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/2220-28-0x0000000005210000-0x0000000005220000-memory.dmp

Filesize
64KB

Download
memory/2636-36-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2636-38-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/2636-39-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3092-554-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3092-553-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/3536-5-0x00000000054A0000-0x000000000551A000-memory.dmp

Filesize
488KB

Download
memory/3536-1-0x0000000000700000-0x00000000007B6000-memory.dmp

Filesize
728KB

Download
memory/3536-4-0x0000000005400000-0x000000000549C000-memory.dmp

Filesize
624KB

Download
memory/3536-3-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3536-6-0x0000000005790000-0x0000000005828000-memory.dmp

Filesize
608KB

Download
memory/3536-27-0x00000000749A0000-0x0000000075150000-memory.dmp

Filesize
7.7MB

Download
memory/3536-0-0x00000000749AE000-0x00000000749AF000-memory.dmp

Filesize
4KB

Download
memory/3536-2-0x00000000058B0000-0x0000000005E54000-memory.dmp

Filesize
5.6MB

Download
memory/3648-24-0x0000000071130000-0x00000000716E1000-memory.dmp

Filesize
5.7MB

Download
memory/3648-56-0x0000000071130000-0x00000000716E1000-memory.dmp

Filesize
5.7MB

Download
memory/3648-26-0x0000000071132000-0x0000000071134000-memory.dmp

Filesize
8KB

Download
memory/3648-19-0x0000000071132000-0x0000000071133000-memory.dmp

Filesize
4KB

Download
memory/4040-534-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4040-533-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4040-550-0x0000000000460000-0x0000000000529000-memory.dmp

Filesize
804KB

Download
memory/4040-551-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4368-211-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4368-212-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4988-94-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4988-95-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5072-581-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download