netwire | 032f82ee87063844044f26e9c171170ee56b5e480a26402371018512fb92ff6a

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
09-09-2024 23:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe
Size

204KB
MD5

d73e7f87a3a95e0f16337c29a6546efa
SHA1

753398b57ac5a470d4c2573e1b51cb3ed783e834
SHA256

032f82ee87063844044f26e9c171170ee56b5e480a26402371018512fb92ff6a
SHA512

e966fcfc3fb032e6b602f5bfcbc5842a9c88a8427096f9902e2ec12d08f30c851104c10f10824b084a1e18cf6e9e44114d5f3fd1f688a3d8db6e805976ed4b25
SSDEEP

3072:IxuGg5NaeP3qQKvVpXNdXpstoSjvdQXsAs1XMTsx+7llitfMA6Nbrk42o/O:IsXagIVpXNUtoyHVMlmdt6Nfk42o/O

Score

10^/10

netwire botnet discovery persistence rat stealer

Malware Config

Extracted

Family

netwire

185.125.205.77:39560

Attributes

activex_autorun
true
activex_key
{51ER3LW3-6YXE-YD6F-5ROI-AF1JX466T30G}
copy_executable
true
delete_original
false
host_id
sunshineslisa
install_path
%AppData%\Imgburn\Svchost.exe
keylogger_dir
%AppData%\Logs\Imgburn\
lock_executable
false
mutex
BdenlrBn
offline_keylogger
true
password
sucess
registry_autorun
true
startup_name
NetWire
use_mutex
true

Signatures

NetWire RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/1604-12-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1604-19-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/1604-17-0x0000000000400000-0x000000000042C000-memory.dmp	netwire
behavioral2/memory/920-30-0x0000000000400000-0x000000000042C000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Boot or Logon Autostart Execution: Active Setup 2 TTPs 2 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51ER3LW3-6YXE-YD6F-5ROI-AF1JX466T30G}	Svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{51ER3LW3-6YXE-YD6F-5ROI-AF1JX466T30G}\StubPath = "\"C:\\Users\\Admin\\AppData\\Roaming\\Imgburn\\Svchost.exe\""	Svchost.exe

Checks computer location settings 2 TTPs 17 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe
Key value queried	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\Control Panel\International\Geo\Nation	javaupdates.exe

Executes dropped EXE 38 IoCs

pid	Process
1604	javaupdates.exe
4888	Svchost.exe
920	Svchost.exe
5064	javaupdates.exe
2288	javaupdates.exe
2580	javaupdates.exe
4920	javaupdates.exe
4100	javaupdates.exe
2652	javaupdates.exe
1112	javaupdates.exe
2760	javaupdates.exe
3120	javaupdates.exe
544	javaupdates.exe
4432	javaupdates.exe
3124	javaupdates.exe
5072	javaupdates.exe
2668	javaupdates.exe
4836	javaupdates.exe
4284	javaupdates.exe
2280	javaupdates.exe
2668	javaupdates.exe
4324	javaupdates.exe
3456	javaupdates.exe
2976	javaupdates.exe
2052	javaupdates.exe
2348	javaupdates.exe
3916	javaupdates.exe
4704	javaupdates.exe
4524	javaupdates.exe
3120	javaupdates.exe
1528	javaupdates.exe
2188	javaupdates.exe
1916	javaupdates.exe
3624	javaupdates.exe
3528	javaupdates.exe
4316	javaupdates.exe
2588	javaupdates.exe
3668	javaupdates.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-355097885-2402257403-2971294179-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\NetWire = "C:\\Users\\Admin\\AppData\\Roaming\\Imgburn\\Svchost.exe"	Svchost.exe

Suspicious use of SetThreadContext 19 IoCs

description	pid	Process	procid_target
PID 3956 set thread context of 1604	3956	javaupdates.exe	96
PID 4888 set thread context of 920	4888	Svchost.exe	110
PID 5064 set thread context of 2288	5064	javaupdates.exe	124
PID 2580 set thread context of 4920	2580	javaupdates.exe	185
PID 4100 set thread context of 2652	4100	javaupdates.exe	243
PID 1112 set thread context of 2760	1112	javaupdates.exe	299
PID 3120 set thread context of 544	3120	javaupdates.exe	356
PID 4432 set thread context of 3124	4432	javaupdates.exe	413
PID 5072 set thread context of 2668	5072	javaupdates.exe	469
PID 4836 set thread context of 4284	4836	javaupdates.exe	525
PID 2280 set thread context of 2668	2280	javaupdates.exe	581
PID 4324 set thread context of 3456	4324	javaupdates.exe	637
PID 2976 set thread context of 2052	2976	javaupdates.exe	693
PID 2348 set thread context of 3916	2348	javaupdates.exe	749
PID 4704 set thread context of 4524	4704	javaupdates.exe	807
PID 3120 set thread context of 2188	3120	javaupdates.exe	868
PID 1916 set thread context of 3624	1916	javaupdates.exe	924
PID 3528 set thread context of 4316	3528	javaupdates.exe	980
PID 2588 set thread context of 3668	2588	javaupdates.exe	1036

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	javaupdates.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
5100	schtasks.exe
400	schtasks.exe
2248	schtasks.exe
4408	schtasks.exe
2648	schtasks.exe
2532	schtasks.exe
2968	schtasks.exe
3988	schtasks.exe
404	schtasks.exe
1052	schtasks.exe
2484	schtasks.exe
4512	schtasks.exe
3956	schtasks.exe
4696	schtasks.exe
1516	schtasks.exe
1344	schtasks.exe
1780	schtasks.exe
3548	schtasks.exe
2772	schtasks.exe
1852	schtasks.exe
4772	schtasks.exe
2628	schtasks.exe
4064	schtasks.exe
2756	schtasks.exe
4704	schtasks.exe
1832	schtasks.exe
1928	schtasks.exe
760	schtasks.exe
2816	schtasks.exe
5112	schtasks.exe
2956	schtasks.exe
1832	schtasks.exe
2844	schtasks.exe
2296	schtasks.exe
4800	schtasks.exe
3012	schtasks.exe
1484	schtasks.exe
1052	schtasks.exe
4984	schtasks.exe
1372	schtasks.exe
1836	schtasks.exe
1432	schtasks.exe
3164	schtasks.exe
2032	schtasks.exe
1036	schtasks.exe
5100	schtasks.exe
2672	schtasks.exe
1428	schtasks.exe
64	schtasks.exe
3448	schtasks.exe
3464	schtasks.exe
3120	schtasks.exe
5072	schtasks.exe
368	schtasks.exe
2628	schtasks.exe
4336	schtasks.exe
1944	schtasks.exe
4556	schtasks.exe
1608	schtasks.exe
3916	schtasks.exe
4348	schtasks.exe
4104	schtasks.exe
4272	schtasks.exe
4728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
3956	javaupdates.exe
3956	javaupdates.exe
3956	javaupdates.exe
4888	Svchost.exe
4888	Svchost.exe
4888	Svchost.exe
4888	Svchost.exe
4888	Svchost.exe
4888	Svchost.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe
5064	javaupdates.exe
4888	Svchost.exe

Suspicious behavior: RenamesItself 1 IoCs

pid	Process
1984	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 20 IoCs

description	pid	Process
Token: SeDebugPrivilege	1984	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe
Token: SeDebugPrivilege	3956	javaupdates.exe
Token: SeDebugPrivilege	4888	Svchost.exe
Token: SeDebugPrivilege	5064	javaupdates.exe
Token: SeDebugPrivilege	2580	javaupdates.exe
Token: SeDebugPrivilege	4100	javaupdates.exe
Token: SeDebugPrivilege	1112	javaupdates.exe
Token: SeDebugPrivilege	3120	javaupdates.exe
Token: SeDebugPrivilege	4432	javaupdates.exe
Token: SeDebugPrivilege	5072	javaupdates.exe
Token: SeDebugPrivilege	4836	javaupdates.exe
Token: SeDebugPrivilege	2280	javaupdates.exe
Token: SeDebugPrivilege	4324	javaupdates.exe
Token: SeDebugPrivilege	2976	javaupdates.exe
Token: SeDebugPrivilege	2348	javaupdates.exe
Token: SeDebugPrivilege	4704	javaupdates.exe
Token: SeDebugPrivilege	3120	javaupdates.exe
Token: SeDebugPrivilege	1916	javaupdates.exe
Token: SeDebugPrivilege	3528	javaupdates.exe
Token: SeDebugPrivilege	2588	javaupdates.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1984 wrote to memory of 2532	1984	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe	87
PID 1984 wrote to memory of 2532	1984	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe	87
PID 1984 wrote to memory of 2532	1984	d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe	87
PID 2532 wrote to memory of 3956	2532	cmd.exe	89
PID 2532 wrote to memory of 3956	2532	cmd.exe	89
PID 2532 wrote to memory of 3956	2532	cmd.exe	89
PID 3956 wrote to memory of 4840	3956	javaupdates.exe	90
PID 3956 wrote to memory of 4840	3956	javaupdates.exe	90
PID 3956 wrote to memory of 4840	3956	javaupdates.exe	90
PID 4840 wrote to memory of 1140	4840	cmd.exe	92
PID 4840 wrote to memory of 1140	4840	cmd.exe	92
PID 4840 wrote to memory of 1140	4840	cmd.exe	92
PID 3956 wrote to memory of 5040	3956	javaupdates.exe	93
PID 3956 wrote to memory of 5040	3956	javaupdates.exe	93
PID 3956 wrote to memory of 5040	3956	javaupdates.exe	93
PID 5040 wrote to memory of 4512	5040	cmd.exe	95
PID 5040 wrote to memory of 4512	5040	cmd.exe	95
PID 5040 wrote to memory of 4512	5040	cmd.exe	95
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 1604	3956	javaupdates.exe	96
PID 3956 wrote to memory of 4232	3956	javaupdates.exe	97
PID 3956 wrote to memory of 4232	3956	javaupdates.exe	97
PID 3956 wrote to memory of 4232	3956	javaupdates.exe	97
PID 4232 wrote to memory of 2312	4232	cmd.exe	99
PID 4232 wrote to memory of 2312	4232	cmd.exe	99
PID 4232 wrote to memory of 2312	4232	cmd.exe	99
PID 1604 wrote to memory of 4888	1604	javaupdates.exe	100
PID 1604 wrote to memory of 4888	1604	javaupdates.exe	100
PID 1604 wrote to memory of 4888	1604	javaupdates.exe	100
PID 3956 wrote to memory of 2840	3956	javaupdates.exe	101
PID 3956 wrote to memory of 2840	3956	javaupdates.exe	101
PID 3956 wrote to memory of 2840	3956	javaupdates.exe	101
PID 4888 wrote to memory of 4864	4888	Svchost.exe	103
PID 4888 wrote to memory of 4864	4888	Svchost.exe	103
PID 4888 wrote to memory of 4864	4888	Svchost.exe	103
PID 2840 wrote to memory of 4708	2840	cmd.exe	105
PID 2840 wrote to memory of 4708	2840	cmd.exe	105
PID 2840 wrote to memory of 4708	2840	cmd.exe	105
PID 4864 wrote to memory of 3368	4864	cmd.exe	106
PID 4864 wrote to memory of 3368	4864	cmd.exe	106
PID 4864 wrote to memory of 3368	4864	cmd.exe	106
PID 4888 wrote to memory of 3024	4888	Svchost.exe	107
PID 4888 wrote to memory of 3024	4888	Svchost.exe	107
PID 4888 wrote to memory of 3024	4888	Svchost.exe	107
PID 3024 wrote to memory of 752	3024	cmd.exe	109
PID 3024 wrote to memory of 752	3024	cmd.exe	109
PID 3024 wrote to memory of 752	3024	cmd.exe	109
PID 4888 wrote to memory of 920	4888	Svchost.exe	110
PID 4888 wrote to memory of 920	4888	Svchost.exe	110
PID 4888 wrote to memory of 920	4888	Svchost.exe	110
PID 4888 wrote to memory of 920	4888	Svchost.exe	110
PID 4888 wrote to memory of 920	4888	Svchost.exe	110
PID 4888 wrote to memory of 920	4888	Svchost.exe	110
PID 4888 wrote to memory of 920	4888	Svchost.exe	110
PID 4888 wrote to memory of 920	4888	Svchost.exe	110

C:\Users\Admin\AppData\Local\Temp\d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\d73e7f87a3a95e0f16337c29a6546efa_JaffaCakes118.exe"
1⤵
- Suspicious behavior: RenamesItself
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1984
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Users\Admin\AppData\Roaming\javaupdates.exe
    "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
    3⤵
    - Checks computer location settings
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3956
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4840
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        5⤵
        
        PID:1140
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1269108421.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4512
  - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
      "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:1604
    - - C:\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4888
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:3368
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:3024
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1067654801.xml"
        7⤵
        
        PID:752
      - C:\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Imgburn\Svchost.exe"
        6⤵
        Boot or Logon Autostart Execution: Active Setup
        Executes dropped EXE
        Adds Run key to start application
        
        PID:920
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:748
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1152
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1531423367.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2492
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2268
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2488
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\245759637.xml"
        7⤵
        
        PID:1916
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2212
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\995182879.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1736
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4764
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\786806439.xml"
        7⤵
        
        PID:4600
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1808
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\510645853.xml"
        7⤵
        
        PID:224
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2444
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:848
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\302269413.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2672
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4300
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3944
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1470848692.xml"
        7⤵
        
        PID:2688
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3956
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\72788287.xml"
        7⤵
        
        PID:3468
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3024
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4144
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1944111348.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4064
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1052
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4336
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1923006662.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2844
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1368
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1646846076.xml"
        7⤵
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:5064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4956
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\248785671.xml"
        7⤵
        
        PID:4280
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4688
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\40409231.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:400
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4708
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1560360401.xml"
        7⤵
        
        PID:4080
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4548
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\162299996.xml"
        7⤵
        
        PID:1124
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1684
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\492567201.xml"
        7⤵
        
        PID:4064
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2652
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2320
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2012518371.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1780
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4212
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1033614003.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3956
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1200
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3840
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\218809772.xml"
        7⤵
        
        PID:2348
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2176
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1387389051.xml"
        7⤵
        
        PID:1376
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4204
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\759856574.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3756
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3568
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\132324097.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:760
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1672
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\275319548.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1516
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:400
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\673370899.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3548
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4480
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\397210313.xml"
        7⤵
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4212
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1565789592.xml"
        7⤵
        
        PID:3952
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2728
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\938257115.xml"
        7⤵
        
        PID:3024
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:5104
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1687680357.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2248
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4520
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3336
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:848
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1830675808.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1372
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1504
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\851771440.xml"
        7⤵
        
        PID:4212
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3340
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1500
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\224238963.xml"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4700
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1684
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1744190133.xml"
        7⤵
        
        PID:2444
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1552
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1116657656.xml"
        7⤵
        
        PID:1068
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4628
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1866080898.xml"
        7⤵
        
        PID:4928
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3584
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2692
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1238548421.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:64
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2728
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1987971663.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3916
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4784
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\941283149.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4980
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3580
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2109862428.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3448
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3800
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1063173914.xml"
        7⤵
        
        PID:3512
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2308
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4236
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\435641437.xml"
        7⤵
        
        PID:3272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2980
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1185064679.xml"
        7⤵
        
        PID:5064
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4292
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\557532202.xml"
        7⤵
        
        PID:4116
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1288
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1306955444.xml"
        7⤵
        
        PID:3448
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:428
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1030794858.xml"
        7⤵
        
        PID:3512
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3804
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1428846209.xml"
        7⤵
        
        PID:3272
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1152685623.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1836
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:812
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1832
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\944309183.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2032
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4480
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3412
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1693732425.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3120
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2720
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\295672020.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3016
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3432
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1815623190.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3012
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3000
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\768934676.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4104
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1518357918.xml"
        7⤵
        
        PID:4264
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1276
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2036
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\120297513.xml"
        7⤵
        
        PID:5012
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1640248683.xml"
        7⤵
        
        PID:3028
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1970515888.xml"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:960
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4332
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2984
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3496
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\572455483.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4408
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3192
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2716
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4380
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2092406653.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5072
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4520
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1464874176.xml"
        7⤵
        
        PID:2396
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3236
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\837341699.xml"
        7⤵
        
        PID:3004
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3196
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\209809222.xml"
        7⤵
        
        PID:2736
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2964
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1310604355.xml"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2968
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2668
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1289499669.xml"
        7⤵
        
        PID:2652
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:5056
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4472
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1971138765.xml"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4208
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1824
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2752
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\992234397.xml"
        7⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1928
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1664
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\364701920.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:368
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4476
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1114125162.xml"
        7⤵
        
        PID:2628
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2772
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\486592685.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:768
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4836
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1236015927.xml"
        7⤵
        
        PID:232
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:1864
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\959855341.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1608
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        5⤵
        
        PID:2312
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2840
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1142529880.xml"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4708
  - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
      "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      Suspicious use of SetThreadContext
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:5064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:740
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:3584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2644
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\686020360.xml"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2680
    - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        5⤵
        Executes dropped EXE
        
        PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1360
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:3504
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\985688789.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4104
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:2024
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4456
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1315955994.xml"
        6⤵
        
        PID:3392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4288
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:2828
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4272
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2065379236.xml"
        6⤵
        
        PID:3428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2312
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        6⤵
        
        PID:3800
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4420
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\60891040.xml"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3956
    - - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2580
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:4792
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4144
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1161686173.xml"
        7⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5100
      - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        6⤵
        Executes dropped EXE
        
        PID:4920
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:3912
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\384067312.xml"
        7⤵
        
        PID:4368
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1652
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\527062763.xml"
        7⤵
        
        PID:4732
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:1044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2484
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1695642042.xml"
        7⤵
        
        PID:5032
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        7⤵
        
        PID:2728
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        
        PID:700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1838637493.xml"
        7⤵
        
        PID:3504
      - C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        6⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:3324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        
        PID:2080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1204
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\747336450.xml"
        8⤵
        
        PID:4424
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        7⤵
        Executes dropped EXE
        
        PID:2652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:2760
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\133817726.xml"
        8⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2072924933.xml"
        8⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:2420
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        
        PID:2440
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\674864528.xml"
        8⤵
        
        PID:1988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:1268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:2400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        7⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\817859979.xml"
        8⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2296
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:3120
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:1440
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\377599256.xml"
        9⤵
        
        PID:4796
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        8⤵
        Executes dropped EXE
        
        PID:2760
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:1804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:2876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\422211785.xml"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:2840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\820263136.xml"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2756
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:2728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\192730659.xml"
        9⤵
        
        PID:4972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        9⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1712681829.xml"
        9⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1428
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        8⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:3600
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2844
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1085149352.xml"
        10⤵
        
        PID:3624
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        9⤵
        Executes dropped EXE
        
        PID:544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:4232
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:4816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1548917918.xml"
        10⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1340541478.xml"
        10⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:1268
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1319436792.xml"
        10⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        
        PID:3452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        10⤵
        
        PID:5056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        9⤵
        System Location Discovery: System Language Discovery
        
        PID:4084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1462432243.xml"
        10⤵
        
        PID:3472
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        9⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4708
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1022171520.xml"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        10⤵
        Executes dropped EXE
        
        PID:3124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\715412158.xml"
        11⤵
        
        PID:916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\507035718.xml"
        11⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4696
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4324
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:8
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1256458960.xml"
        11⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        11⤵
        
        PID:4948
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:4772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\628926483.xml"
        11⤵
        
        PID:3628
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        10⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5072
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:4288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:224
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\352765897.xml"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4356
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        11⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1864
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:392
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\465162572.xml"
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:3928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:748
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1214585814.xml"
        12⤵
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:2716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1006209374.xml"
        12⤵
        
        PID:2384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:1376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        12⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        11⤵
        
        PID:4904
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\378676897.xml"
        12⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:2580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:544
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\708944102.xml"
        13⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4704
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        12⤵
        Executes dropped EXE
        
        PID:4284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:4804
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\821340777.xml"
        13⤵
        
        PID:2484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:1124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\612964337.xml"
        13⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:2984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\404587897.xml"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:4076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        13⤵
        
        PID:4104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1924539067.xml"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1944
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        12⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2280
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:4084
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:848
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\645966270.xml"
        14⤵
        
        PID:1728
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        13⤵
        Executes dropped EXE
        
        PID:2668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\339206908.xml"
        14⤵
        
        PID:2196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:2644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:4880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        System Location Discovery: System Language Discovery
        
        PID:4532
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\130830468.xml"
        14⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1852
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:3976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:2616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1650781638.xml"
        14⤵
        
        PID:4596
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        14⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        13⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1023249161.xml"
        14⤵
        
        PID:2716
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4324
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:3728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:2576
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:2468
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\163832401.xml"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1344
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        14⤵
        Executes dropped EXE
        
        PID:3456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:1452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4204
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2004556686.xml"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:4272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:3028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:2424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\606496281.xml"
        15⤵
        
        PID:4420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1707291414.xml"
        15⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4800
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        15⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\309231009.xml"
        15⤵
        
        PID:1532
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        14⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:3912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\100854569.xml"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3164
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        15⤵
        Executes dropped EXE
        
        PID:2052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:2032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:4652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1171050926.xml"
        16⤵
        
        PID:1176
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:1468
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1314046377.xml"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:3248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:3508
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:744
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\335142009.xml"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        System Location Discovery: System Language Discovery
        
        PID:1096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        16⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        15⤵
        
        PID:2756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1855093179.xml"
        16⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        15⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        
        PID:332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\37876737.xml"
        17⤵
        
        PID:4064
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        16⤵
        Executes dropped EXE
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:4600
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:2248
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1878601022.xml"
        17⤵
        
        PID:2772
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:3392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        
        PID:752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2021596473.xml"
        17⤵
        
        PID:1276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:1160
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:4712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\623536068.xml"
        17⤵
        
        PID:3464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        17⤵
        
        PID:4796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1372959310.xml"
        17⤵
        
        PID:4296
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        16⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4704
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        System Location Discovery: System Language Discovery
        
        PID:4912
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:4196
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:4212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\745426833.xml"
        18⤵
        
        PID:3568
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        17⤵
        Executes dropped EXE
        
        PID:4524
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:3408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:452
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\87295580.xml"
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1607246750.xml"
        18⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1398870310.xml"
        18⤵
        
        PID:400
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:224
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        18⤵
        
        PID:3792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        17⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1541865761.xml"
        18⤵
        
        PID:4160
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        17⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        
        PID:4764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:4080
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\263292964.xml"
        19⤵
        
        PID:972
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        18⤵
        Executes dropped EXE
        
        PID:1528
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        18⤵
        Executes dropped EXE
        
        PID:2188
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:2056
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\562961393.xml"
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2532
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:748
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        
        PID:2140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:4680
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1544268918.xml"
        19⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:4612
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4076
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\916736441.xml"
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:2772
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        19⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:3168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2017531574.xml"
        19⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        18⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2115914496.xml"
        20⤵
        
        PID:4340
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        19⤵
        Executes dropped EXE
        
        PID:3624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:1272
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:392
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\80827524.xml"
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:1540
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:2768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:2620
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1600778694.xml"
        20⤵
        
        PID:5112
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:4476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:4064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\202718289.xml"
        20⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        System Location Discovery: System Language Discovery
        
        PID:4840
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        20⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        19⤵
        
        PID:4216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1303513422.xml"
        20⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1432
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:4996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:4380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:3516
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1514293019.xml"
        21⤵
        
        PID:1108
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        20⤵
        Executes dropped EXE
        
        PID:4316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:1728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:2748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:3228
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1558905548.xml"
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:3188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:3248
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\931373071.xml"
        21⤵
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:4928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:2720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:1604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1680796313.xml"
        21⤵
        
        PID:2216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        21⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\701891945.xml"
        21⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:404
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        20⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2588
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:4400
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        
        PID:2964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\844887396.xml"
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1484
        
        C:\Users\Admin\AppData\Roaming\javaupdates.exe
        
        "C:\Users\Admin\AppData\Roaming\javaupdates.exe"
        21⤵
        Executes dropped EXE
        
        PID:3668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\957284071.xml"
        22⤵
        
        PID:2132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:2100
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\2125863350.xml"
        22⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        
        PID:2212
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Java Update" /F
        22⤵
        
        PID:4360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        21⤵
        System Location Discovery: System Language Discovery
        
        PID:3792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Java Update" /XML "C:\Users\Admin\AppData\Local\Temp\1849702764.xml"
        22⤵
        
        PID:412

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\javaupdates.exe.log

Filesize
223B

MD5
cde6529abeea500fb852f29ba0da6115

SHA1
45f2f48492417ae6a0eade8aaa808d3d1d760743

SHA256
d7f4964443470b6729865676d76f5f1f416da633033071c34ea5eb19cdea53b5

SHA512
c95fa7faf6a90f32060dba70f79c4d66c68d6eec587306fb98f36fc3ba5d377ebf9dabf47298b71db208fb10f7ccb4e0ed82236c8f26bcc746552588bbb38234

Download Submit
C:\Users\Admin\AppData\Local\Temp\1269108421.xml

Filesize
1KB

MD5
590598edb08b7ae0cb746ebc98155bc1

SHA1
cdd19aca2a8ca87635fcd5762d5c06ca1d5883e7

SHA256
43900d5b5849ac1e55ceef5b802c55d4e09d28e05e8a272b1b777e1d9016db8b

SHA512
fe45f3da88c72acbba3bba0cf0051d971f15f1799dec45e55a2d6e4611ed42fb5c6a8c072293e3fb7fa77630d3579eee00ae97d76f72a433f6c5433c52e4f482

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Update.txt

Filesize
62B

MD5
3ae5e88e8e85f7038b2cd05cd5be03cf

SHA1
84e007c3af56af18a8f88f760603062028fece4f

SHA256
4cb9c982d02b166b37f737ab6bf4bc7b1711b904b0c9ce521cf3e4f1bf24e4e3

SHA512
713c2f625a9dd75118cf1bd95fb3b281e641210211cde410fc73e47f458ce97d15aa620236cf0191565a1f0633ff3006eb90785d885377b38e1d2decc1425bb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Java Update.txt

Filesize
58B

MD5
92d0ed3251a0d0b9b94b8f97715eb09c

SHA1
044d545fcf52a6ab3c1f24181ab522001f7212c6

SHA256
f2cf740eab3ad1e2c4c2f62f3b0d91c152f51990b9c4ae040d318d7b8c8cc386

SHA512
4bb0e6a8f8df2c8ba1becf455355a8003d9eee4439524db701ed32b7735a4739f606d7e18e424ee99b260a39aa25de1cc5a6997a06fa2b9237a4d5d3c94a2716

Download Submit
C:\Users\Admin\AppData\Roaming\javaupdates.exe

Filesize
204KB

MD5
d73e7f87a3a95e0f16337c29a6546efa

SHA1
753398b57ac5a470d4c2573e1b51cb3ed783e834

SHA256
032f82ee87063844044f26e9c171170ee56b5e480a26402371018512fb92ff6a

SHA512
e966fcfc3fb032e6b602f5bfcbc5842a9c88a8427096f9902e2ec12d08f30c851104c10f10824b084a1e18cf6e9e44114d5f3fd1f688a3d8db6e805976ed4b25

Download Submit
memory/920-30-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1604-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1604-12-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1604-19-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1984-0-0x0000000074C52000-0x0000000074C53000-memory.dmp

Filesize
4KB

Download
memory/1984-5-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/1984-3-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/1984-2-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/1984-1-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3956-6-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3956-8-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3956-7-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download
memory/3956-36-0x0000000074C50000-0x0000000075201000-memory.dmp

Filesize
5.7MB

Download