netwire | 032f82ee87063844044f26e9c171170ee56b5e480a26402371018512fb92ff6a

Analysis

max time kernel
150s
max time network
138s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-09-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe
Size

204KB
MD5

d73e7f87a3a95e0f16337c29a6546efa
SHA1

753398b57ac5a470d4c2573e1b51cb3ed783e834
SHA256

032f82ee87063844044f26e9c171170ee56b5e480a26402371018512fb92ff6a
SHA512

e966fcfc3fb032e6b602f5bfcbc5842a9c88a8427096f9902e2ec12d08f30c851104c10f10824b084a1e18cf6e9e44114d5f3fd1f688a3d8db6e805976ed4b25
SSDEEP

3072:IxuGg5NaeP3qQKvVpXNdXpstoSjvdQXsAs1XMTsx+7llitfMA6Nbrk42o/O:IsXagIVpXNUtoyHVMlmdt6Nfk42o/O

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

185.125.205.77:39560

Attributes

activex_autorun
true
activex_key
{51ER3LW3-6YXE-YD6F-5ROI-AF1JX466T30G}
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Svchost.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
mutex
BdenlrBn
offline_keylogger
true
password
sucess
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 8 IoCs

rat

resource	yara_rule
behavioral1/memory/2256-14-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2256-18-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2256-16-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2256-25-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2256-23-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/2256-21-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1840-72-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral1/memory/1840-71-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51ER3LW3-6YXE-YD6F-5ROI-AF1JX466T30G}	Svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{51ER3LW3-6YXE-YD6F-5ROI-AF1JX466T30G}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Imgburn\\Svchost.exe\""	Svchost.exe

Executes dropped EXE 45 IoCs

pid	Process
2256	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
1840	Svchost.exe
1920	javaupdates.exe
1152	javaupdates.exe
988	javaupdates.exe
2244	javaupdates.exe
1132	javaupdates.exe
1636	javaupdates.exe
2148	javaupdates.exe
1476	javaupdates.exe
2360	javaupdates.exe
1856	javaupdates.exe
336	javaupdates.exe
2204	javaupdates.exe
2128	javaupdates.exe
2728	javaupdates.exe
2844	javaupdates.exe
2704	javaupdates.exe
2888	javaupdates.exe
2176	javaupdates.exe
2160	javaupdates.exe
2696	javaupdates.exe
476	javaupdates.exe
2404	javaupdates.exe
1056	javaupdates.exe
2560	javaupdates.exe
1812	javaupdates.exe
1772	javaupdates.exe
336	javaupdates.exe
2172	javaupdates.exe
2240	javaupdates.exe
1996	javaupdates.exe
2348	javaupdates.exe
1304	javaupdates.exe
892	javaupdates.exe
2724	javaupdates.exe
2844	javaupdates.exe
2500	javaupdates.exe
2888	javaupdates.exe
2224	javaupdates.exe
2324	javaupdates.exe
996	javaupdates.exe
2912	javaupdates.exe

Loads dropped DLL 9 IoCs

pid	Process
2256	javaupdates.exe
2256	javaupdates.exe
2992	Svchost.exe
2992	Svchost.exe
2992	Svchost.exe
2992	Svchost.exe
1840	Svchost.exe
1840	Svchost.exe
1840	Svchost.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Imgburn\\Svchost.exe"	Svchost.exe

Suspicious use of SetThreadContext 20 IoCs

description	pid	Process	procid_target
PID 2380 set thread context of 2256	2380	javaupdates.exe	40
PID 2992 set thread context of 1840	2992	Svchost.exe	57
PID 2660 set thread context of 1152	2660	javaupdates.exe	59
PID 988 set thread context of 2244	988	javaupdates.exe	109
PID 1132 set thread context of 1636	1132	javaupdates.exe	165
PID 2148 set thread context of 1476	2148	javaupdates.exe	221
PID 2360 set thread context of 1856	2360	javaupdates.exe	277
PID 336 set thread context of 2204	336	javaupdates.exe	333
PID 2128 set thread context of 2728	2128	javaupdates.exe	389
PID 2844 set thread context of 2704	2844	javaupdates.exe	445
PID 2888 set thread context of 2176	2888	javaupdates.exe	501
PID 2160 set thread context of 2696	2160	javaupdates.exe	558
PID 476 set thread context of 2404	476	javaupdates.exe	614
PID 1056 set thread context of 2560	1056	javaupdates.exe	670
PID 1812 set thread context of 1772	1812	javaupdates.exe	726
PID 336 set thread context of 2240	336	javaupdates.exe	783
PID 1996 set thread context of 892	1996	javaupdates.exe	841
PID 2724 set thread context of 2844	2724	javaupdates.exe	897
PID 2500 set thread context of 2224	2500	javaupdates.exe	954
PID 2324 set thread context of 2912	2324	javaupdates.exe	1011

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
1772	schtasks.exe
2928	schtasks.exe
768	schtasks.exe
2376	schtasks.exe
1960	schtasks.exe
2976	schtasks.exe
1856	schtasks.exe
2476	schtasks.exe
1552	schtasks.exe
3052	schtasks.exe
2772	schtasks.exe
2736	schtasks.exe
2236	schtasks.exe
2620	schtasks.exe
1344	schtasks.exe
2728	schtasks.exe
2108	schtasks.exe
2272	schtasks.exe
320	schtasks.exe
2860	schtasks.exe
1984	schtasks.exe
1416	schtasks.exe
2496	schtasks.exe
2364	schtasks.exe
308	schtasks.exe
2912	schtasks.exe
792	schtasks.exe
1028	schtasks.exe
1216	schtasks.exe
692	schtasks.exe
2592	schtasks.exe
2988	schtasks.exe
3060	schtasks.exe
3032	schtasks.exe
1012	schtasks.exe
2760	schtasks.exe
1212	schtasks.exe
2160	schtasks.exe
1392	schtasks.exe
2492	schtasks.exe
832	schtasks.exe
1804	schtasks.exe
1704	schtasks.exe
1940	schtasks.exe
2868	schtasks.exe
1364	schtasks.exe
1980	schtasks.exe
2864	schtasks.exe
944	schtasks.exe
1364	schtasks.exe
1724	schtasks.exe
588	schtasks.exe
2400	schtasks.exe
2676	schtasks.exe
1052	schtasks.exe
2556	schtasks.exe
1984	schtasks.exe
540	schtasks.exe
2164	schtasks.exe
1152	schtasks.exe
2288	schtasks.exe
2364	schtasks.exe
1564	schtasks.exe
2472	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2380	javaupdates.exe
2380	javaupdates.exe
2380	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe
2660	javaupdates.exe
2992	Svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1728	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 21 IoCs

description	pid	Process
Token: SeDebugPrivilege	1728	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe
Token: SeDebugPrivilege	2380	javaupdates.exe
Token: SeDebugPrivilege	2992	Svchost.exe
Token: SeDebugPrivilege	2660	javaupdates.exe
Token: SeDebugPrivilege	988	javaupdates.exe
Token: SeDebugPrivilege	1132	javaupdates.exe
Token: SeDebugPrivilege	2148	javaupdates.exe
Token: SeDebugPrivilege	2360	javaupdates.exe
Token: SeDebugPrivilege	336	javaupdates.exe
Token: SeDebugPrivilege	2128	javaupdates.exe
Token: SeDebugPrivilege	2844	javaupdates.exe
Token: SeDebugPrivilege	2888	javaupdates.exe
Token: SeDebugPrivilege	2160	javaupdates.exe
Token: SeDebugPrivilege	476	javaupdates.exe
Token: SeDebugPrivilege	1056	javaupdates.exe
Token: SeDebugPrivilege	1812	javaupdates.exe
Token: SeDebugPrivilege	336	javaupdates.exe
Token: SeDebugPrivilege	1996	javaupdates.exe
Token: SeDebugPrivilege	2724	javaupdates.exe
Token: SeDebugPrivilege	2500	javaupdates.exe
Token: SeDebugPrivilege	2324	javaupdates.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1728 wrote to memory of 2300	1728	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2300	1728	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2300	1728	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe	31
PID 1728 wrote to memory of 2300	1728	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe	31
PID 2300 wrote to memory of 2380	2300	cmd.exe	33
PID 2300 wrote to memory of 2380	2300	cmd.exe	33
PID 2300 wrote to memory of 2380	2300	cmd.exe	33
PID 2300 wrote to memory of 2380	2300	cmd.exe	33
PID 2300 wrote to memory of 2380	2300	cmd.exe	33
PID 2300 wrote to memory of 2380	2300	cmd.exe	33
PID 2300 wrote to memory of 2380	2300	cmd.exe	33
PID 2380 wrote to memory of 1972	2380	javaupdates.exe	34
PID 2380 wrote to memory of 1972	2380	javaupdates.exe	34
PID 2380 wrote to memory of 1972	2380	javaupdates.exe	34
PID 2380 wrote to memory of 1972	2380	javaupdates.exe	34
PID 2380 wrote to memory of 1972	2380	javaupdates.exe	34
PID 2380 wrote to memory of 1972	2380	javaupdates.exe	34
PID 2380 wrote to memory of 1972	2380	javaupdates.exe	34
PID 1972 wrote to memory of 2216	1972	cmd.exe	36
PID 1972 wrote to memory of 2216	1972	cmd.exe	36
PID 1972 wrote to memory of 2216	1972	cmd.exe	36
PID 1972 wrote to memory of 2216	1972	cmd.exe	36
PID 1972 wrote to memory of 2216	1972	cmd.exe	36
PID 1972 wrote to memory of 2216	1972	cmd.exe	36
PID 1972 wrote to memory of 2216	1972	cmd.exe	36
PID 2380 wrote to memory of 2980	2380	javaupdates.exe	37
PID 2380 wrote to memory of 2980	2380	javaupdates.exe	37
PID 2380 wrote to memory of 2980	2380	javaupdates.exe	37
PID 2380 wrote to memory of 2980	2380	javaupdates.exe	37
PID 2380 wrote to memory of 2980	2380	javaupdates.exe	37
PID 2380 wrote to memory of 2980	2380	javaupdates.exe	37
PID 2380 wrote to memory of 2980	2380	javaupdates.exe	37
PID 2980 wrote to memory of 768	2980	cmd.exe	39
PID 2980 wrote to memory of 768	2980	cmd.exe	39
PID 2980 wrote to memory of 768	2980	cmd.exe	39
PID 2980 wrote to memory of 768	2980	cmd.exe	39
PID 2980 wrote to memory of 768	2980	cmd.exe	39
PID 2980 wrote to memory of 768	2980	cmd.exe	39
PID 2980 wrote to memory of 768	2980	cmd.exe	39
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2380 wrote to memory of 2256	2380	javaupdates.exe	40
PID 2256 wrote to memory of 2992	2256	javaupdates.exe	41
PID 2256 wrote to memory of 2992	2256	javaupdates.exe	41
PID 2256 wrote to memory of 2992	2256	javaupdates.exe	41
PID 2256 wrote to memory of 2992	2256	javaupdates.exe	41
PID 2256 wrote to memory of 2992	2256	javaupdates.exe	41
PID 2256 wrote to memory of 2992	2256	javaupdates.exe	41
PID 2256 wrote to memory of 2992	2256	javaupdates.exe	41
PID 2380 wrote to memory of 2788	2380	javaupdates.exe	42
PID 2380 wrote to memory of 2788	2380	javaupdates.exe	42
PID 2380 wrote to memory of 2788	2380	javaupdates.exe	42
PID 2380 wrote to memory of 2788	2380	javaupdates.exe	42

C:\Users\Admin\AppData\Local\Temp\d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1728
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2300
- - C:\Users\Admin\AppData\Roaming\javaupdates.exe
    "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
    3⤵
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2380
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1972
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        5⤵
        
        PID:2216
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1469272742.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:768
  - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
      "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of WriteProcessMemory
      PID:2256
    - - C:\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2992
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2636
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\916447231.xml"
        7⤵
        
        PID:1704
      - C:\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        
        PID:1840
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1344
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1672793293.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2496
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2824
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\246201043.xml"
        7⤵
        
        PID:944
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2360
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1147273261.xml"
        7⤵
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:580
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\678480693.xml"
        7⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2928
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\921421658.xml"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\452629090.xml"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:320
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:548
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2131320169.xml"
        7⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2456
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1662527601.xml"
        7⤵
        
        PID:2464
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2544
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1612891070.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2288
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2728
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\22198683.xml"
        7⤵
        
        PID:2128
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2000
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:696
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\323934043.xml"
        7⤵
        
        PID:1968
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2932
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2002625122.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2988
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1628
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1516
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\763304626.xml"
        7⤵
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1424
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1671467777.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2472
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2448
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1202675209.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:692
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:900
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:408
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\314726604.xml"
        7⤵
        
        PID:940
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1604
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\871517864.xml"
        7⤵
        
        PID:3048
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\754097187.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:564
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2081416375.xml"
        7⤵
        
        PID:2652
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1992
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\842095879.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2452
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1143831239.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1724
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1612
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1700622499.xml"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2072
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1788
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:872
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1231829931.xml"
        7⤵
        
        PID:2208
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1533565291.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1152
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2744
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\294244795.xml"
        7⤵
        
        PID:2092
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1972935874.xml"
        7⤵
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1784
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:532
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2110571097.xml"
        7⤵
        
        PID:2424
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2480
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1236
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\871250601.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2868
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1052
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2436
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\753829924.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2260
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1661993075.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1012
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2636
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1976
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:336
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1193200507.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1980
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2720
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\724407939.xml"
        7⤵
        
        PID:2924
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2804
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2051727127.xml"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1536
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1516
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1582934559.xml"
        7⤵
        
        PID:2264
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1044
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1114141991.xml"
        7⤵
        
        PID:2232
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1796
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2022305142.xml"
        7⤵
        
        PID:2468
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:752
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\782984646.xml"
        7⤵
        
        PID:1816
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2042519688.xml"
        7⤵
        
        PID:2948
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2924
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2056
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\451827301.xml"
        7⤵
        
        PID:2704
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2912
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2130518380.xml"
        7⤵
        
        PID:996
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1640
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1661725812.xml"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1212
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1304
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\422405316.xml"
        7⤵
        
        PID:1940
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2268
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:696
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1330568467.xml"
        7⤵
        
        PID:856
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2544
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\442619862.xml"
        7⤵
        
        PID:3008
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3040
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1702154904.xml"
        7⤵
        
        PID:1688
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1472
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1233362336.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:904
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2141525487.xml"
        7⤵
        
        PID:2072
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1672732919.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2364
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\433412423.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1344
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1956
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1341575574.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1364
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2292
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:408
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\102255078.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1984
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2408
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1010418229.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1416
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1132
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\892997552.xml"
        7⤵
        
        PID:2108
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:996
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2696
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1449788812.xml"
        7⤵
        
        PID:2692
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1332368135.xml"
        7⤵
        
        PID:2664
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2024
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\93047639.xml"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1720
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\230682862.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\113262185.xml"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:476
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1756
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1021425336.xml"
        7⤵
        
        PID:2424
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3020
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1929588487.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3052
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2696
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1041639882.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2928
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1704
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1949803033.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1392
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2564
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1481010465.xml"
        7⤵
        
        PID:2188
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1580
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\241689969.xml"
        7⤵
        
        PID:1644
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1616
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1149853120.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1216
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2660
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2404
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\681060552.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1564
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1696
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1940595594.xml"
        7⤵
        
        PID:1792
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2078230817.xml"
        7⤵
        
        PID:2812
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\838910321.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2556
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:2788
  - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
      "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2660
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2404
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1668
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1679884226.xml"
        6⤵
        
        PID:852
    - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        5⤵
        Executes dropped EXE
        
        PID:1920
    - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        5⤵
        Executes dropped EXE
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2852
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\295837574.xml"
        6⤵
        
        PID:2412
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1828
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:1052
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:940
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\503323874.xml"
        6⤵
        
        PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:676
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2144
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\805059234.xml"
        6⤵
        
        PID:1760
    - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:988
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2088
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1600
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1062182065.xml"
        7⤵
        
        PID:2228
      - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        6⤵
        Executes dropped EXE
        
        PID:2244
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:588
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2296
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\404050812.xml"
        7⤵
        
        PID:2756
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2940
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\705786172.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2592
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:852
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1613949323.xml"
        7⤵
        
        PID:1668
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1948
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:324
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\248050286.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2864
      - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        6⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:2412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:2500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\212595621.xml"
        8⤵
        
        PID:1612
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        7⤵
        Executes dropped EXE
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\324992296.xml"
        8⤵
        
        PID:920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:2260
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1652311484.xml"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1596
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        
        PID:1792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:2392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1183518916.xml"
        8⤵
        
        PID:1696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2108
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2091682067.xml"
        8⤵
        
        PID:2740
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:2640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1323221070.xml"
        9⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        8⤵
        Executes dropped EXE
        
        PID:1476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1435617745.xml"
        9⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1416
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1992409005.xml"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:2820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1523616437.xml"
        9⤵
        
        PID:2244
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:824
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:2272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1054823869.xml"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:832
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        8⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\473634626.xml"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1804
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        9⤵
        Executes dropped EXE
        
        PID:1856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:3068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:2680
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1005187338.xml"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:3056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\536394770.xml"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2656
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1444557921.xml"
        10⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:2752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\975765353.xml"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3060
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        9⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\813732147.xml"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2736
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        10⤵
        Executes dropped EXE
        
        PID:2204
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:2472
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\155600894.xml"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\105964363.xml"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:492
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2136027333.xml"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:3008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\896706837.xml"
        11⤵
        
        PID:2144
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        10⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1600
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2111629350.xml"
        12⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        11⤵
        Executes dropped EXE
        
        PID:2728
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:2976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\76542378.xml"
        12⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\378277738.xml"
        12⤵
        
        PID:904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:2388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\515912961.xml"
        12⤵
        
        PID:1704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        System Location Discovery: System Language Discovery
        
        PID:1508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1424076112.xml"
        12⤵
        
        PID:2200
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        11⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:2504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\655615115.xml"
        13⤵
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        12⤵
        Executes dropped EXE
        
        PID:2704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2144967509.xml"
        13⤵
        
        PID:1612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1324803050.xml"
        13⤵
        
        PID:872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:884
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:3068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\856010482.xml"
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:1484
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\738589805.xml"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2376
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        12⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1534356281.xml"
        14⤵
        
        PID:1132
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        13⤵
        Executes dropped EXE
        
        PID:2176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:2592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\876225028.xml"
        14⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:2356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1177960388.xml"
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:1692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:2684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2086123539.xml"
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2676
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:1344
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\846803043.xml"
        14⤵
        
        PID:1800
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        13⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:2612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1642569519.xml"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2164
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        14⤵
        Executes dropped EXE
        
        PID:2696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1754966194.xml"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2236
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:2228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\515645698.xml"
        15⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:2376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\398225021.xml"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1306388172.xml"
        15⤵
        
        PID:2744
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        14⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:476
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1028
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1563511003.xml"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1856
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        15⤵
        Executes dropped EXE
        
        PID:2404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\298951959.xml"
        16⤵
        
        PID:2428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:2040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1626271147.xml"
        16⤵
        
        PID:2128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\386950651.xml"
        16⤵
        
        PID:1956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1295113802.xml"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2620
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1903608524.xml"
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1960
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        16⤵
        Executes dropped EXE
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1245477271.xml"
        17⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        
        PID:1732
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1547212631.xml"
        17⤵
        
        PID:2456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2828
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\307892135.xml"
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        
        PID:316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1992
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1567427177.xml"
        17⤵
        
        PID:1504
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        16⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:1436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:1508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:2264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\215710006.xml"
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        17⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:1424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1098634609.xml"
        18⤵
        
        PID:2896
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:2732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2006797760.xml"
        18⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:2116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\767477264.xml"
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2272
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:1780
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1675640415.xml"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:1608
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        17⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:1380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:1684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\555807527.xml"
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        18⤵
        Executes dropped EXE
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        18⤵
        Executes dropped EXE
        
        PID:2240
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:2112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:2328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\249048165.xml"
        19⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:2828
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1576367353.xml"
        19⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2160
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1878102713.xml"
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:1808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\287410326.xml"
        19⤵
        
        PID:1056
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        18⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:1580
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\895905048.xml"
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2492
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        19⤵
        Executes dropped EXE
        
        PID:2348
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        19⤵
        Executes dropped EXE
        
        PID:1304
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        19⤵
        Executes dropped EXE
        
        PID:892
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:1680
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\589145686.xml"
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\120353118.xml"
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1552
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:3064
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:2220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\677144378.xml"
        20⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:1944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:2904
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\208351810.xml"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2300
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        19⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:2832
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2126018105.xml"
        21⤵
        
        PID:2056
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        20⤵
        Executes dropped EXE
        
        PID:2844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:2632
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:1636
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\697358924.xml"
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\647722393.xml"
        21⤵
        
        PID:2284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:2560
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\530301716.xml"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:2172
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:1968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:2676
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1438464867.xml"
        21⤵
        
        PID:2232
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:2508
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        
        PID:856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:2932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2046959589.xml"
        22⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        21⤵
        Executes dropped EXE
        
        PID:2888
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        21⤵
        Executes dropped EXE
        
        PID:2224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:2292
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        
        PID:2152
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:1552
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1037456445.xml"
        22⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:2204
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\568663877.xml"
        22⤵
        
        PID:852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:1812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:2540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\99871309.xml"
        22⤵
        
        PID:112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        
        PID:1304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:2708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1008034460.xml"
        22⤵
        
        PID:1932
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        21⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:2324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        22⤵
        
        PID:1100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        23⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        22⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1316860753.xml"
        23⤵
        
        PID:2688
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        22⤵
        Executes dropped EXE
        
        PID:996
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        22⤵
        Executes dropped EXE
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        22⤵
        
        PID:1856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        23⤵
        
        PID:2380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        22⤵
        
        PID:2940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1497041574.xml"
        23⤵
        
        PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1469272742.xml

Filesize
1KB

MD5
14bfb8a0f2c6380a505dd415a09eddcd

SHA1
0fe22eeba5775d08c1011f22f0f2e160a1b99ca2

SHA256
4c00c0f5f85f39e56adbee0bc65c0c58ae5139c06a3a91f62787a2e6c90a71ec

SHA512
0b980a85ff9133562afdca750f483418f05fedf37629fc345ac8ea03737eb3ff3fffb50ecb8a63a569e41cb0965f9e77132b1320a6ed038298d4162aa2a1006c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Update.txt

Filesize
62B

MD5
3ae5e88e8e85f7038b2cd05cd5be03cf

SHA1
84e007c3af56af18a8f88f760603062028fece4f

SHA256
4cb9c982d02b166b37f737ab6bf4bc7b1711b904b0c9ce521cf3e4f1bf24e4e3

SHA512
713c2f625a9dd75118cf1bd95fb3b281e641210211cde410fc73e47f458ce97d15aa620236cf0191565a1f0633ff3006eb90785d885377b38e1d2decc1425bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Update.txt

Filesize
58B

MD5
92d0ed3251a0d0b9b94b8f97715eb09c

SHA1
044d545fcf52a6ab3c1f24181ab522001f7212c6

SHA256
f2cf740eab3ad1e2c4c2f62f3b0d91c152f51990b9c4ae040d318d7b8c8cc386

SHA512
4bb0e6a8f8df2c8ba1becf455355a8003d9eee4439524db701ed32b7735a4739f606d7e18e424ee99b260a39aa25de1cc5a6997a06fa2b9237a4d5d3c94a2716

Download Submit
\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe

Filesize
204KB

MD5
d73e7f87a3a95e0f16337c29a6546efa

SHA1
753398b57ac5a470d4c2573e1b51cb3ed783e834

SHA256
032f82ee87063844044f26e9c171170ee56b5e480a26402371018512fb92ff6a

SHA512
e966fcfc3fb032e6b602f5bfcbc5842a9c88a8427096f9902e2ec12d08f30c851104c10f10824b084a1e18cf6e9e44114d5f3fd1f688a3d8db6e805976ed4b25

Download Submit
memory/1728-1-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-2-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-3-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/1728-0-0x0000000074F91000-0x0000000074F92000-memory.dmp

Filesize
4KB

Download
memory/1840-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1840-71-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1840-72-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-14-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-16-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-23-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-21-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-20-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2256-18-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-10-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2256-8-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/2380-44-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download
memory/2380-4-0x0000000074F90000-0x000000007553B000-memory.dmp

Filesize
5.7MB

Download