njrat | 2118b9a82b361a965d3e839f8327f822b65576d6cc70e7767cf00f3a01123e19

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
14-09-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
Size

1.4MB
MD5

df945f06a326dce494df8731b01f050a
SHA1

ce76fb5ea33e9d1c3067fdb5c80c70b3962d9199
SHA256

2118b9a82b361a965d3e839f8327f822b65576d6cc70e7767cf00f3a01123e19
SHA512

f766e40b13e1b3cb7a86d8c82e5b1cddf143369c3702b6c4343c8e4ce445bc0673881667874e25c864ebfff2f8776fb8a8abdae7351300fdeafe3235c0db0c96
SSDEEP

24576:kXE054bS4ubvi1xJdb4kkoG3XX/cuSBNdlFUGS61XTi2B+/i76:kFybSnW7Jafo6cu0SGS4XTii+/k

Score

10^/10

njrat wiregroups discovery evasion persistence privilege_escalation trojan

Malware Config

Extracted

Family

njrat

Version

0.7d

Botnet

WireGroups

212.83.167.116:1604

Mutex

7473a740ee91b3e5852f17361da1e49f

Attributes

reg_key
7473a740ee91b3e5852f17361da1e49f
splitter
|'|'|

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1012	netsh.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7473a740ee91b3e5852f17361da1e49f.exe	POjY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7473a740ee91b3e5852f17361da1e49f.exe	POjY.exe

Executes dropped EXE 2 IoCs

pid	Process
1208	filename.exe
2120	POjY.exe

Loads dropped DLL 4 IoCs

pid	Process
2064	cmd.exe
2064	cmd.exe
1208	filename.exe
1208	filename.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000\Software\Microsoft\Windows\CurrentVersion\Run\7473a740ee91b3e5852f17361da1e49f = "\"C:\\Users\\Admin\\AppData\\Roaming\\POjY.exe\" .."	POjY.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\7473a740ee91b3e5852f17361da1e49f = "\"C:\\Users\\Admin\\AppData\\Roaming\\POjY.exe\" .."	POjY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	POjY.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 61 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2536	schtasks.exe
1092	schtasks.exe
1212	schtasks.exe
2000	schtasks.exe
2820	schtasks.exe
2684	schtasks.exe
1508	schtasks.exe
2352	schtasks.exe
1984	schtasks.exe
2356	schtasks.exe
2044	schtasks.exe
2496	schtasks.exe
2964	schtasks.exe
2392	schtasks.exe
2728	schtasks.exe
1532	schtasks.exe
2580	schtasks.exe
2028	schtasks.exe
3028	schtasks.exe
1400	schtasks.exe
1720	schtasks.exe
2520	schtasks.exe
2728	schtasks.exe
2008	schtasks.exe
1976	schtasks.exe
1028	schtasks.exe
2476	schtasks.exe
2972	schtasks.exe
2780	schtasks.exe
2264	schtasks.exe
2720	schtasks.exe
2156	schtasks.exe
1404	schtasks.exe
1996	schtasks.exe
2504	schtasks.exe
2604	schtasks.exe
1832	schtasks.exe
2856	schtasks.exe
1172	schtasks.exe
2332	schtasks.exe
2504	schtasks.exe
2704	schtasks.exe
1104	schtasks.exe
1392	schtasks.exe
2724	schtasks.exe
3044	schtasks.exe
2352	schtasks.exe
1808	schtasks.exe
2656	schtasks.exe
1144	schtasks.exe
1572	schtasks.exe
3056	schtasks.exe
1360	schtasks.exe
880	schtasks.exe
944	schtasks.exe
1648	schtasks.exe
692	schtasks.exe
852	schtasks.exe
2848	schtasks.exe
2884	schtasks.exe
2040	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1756	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
1756	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
1208	filename.exe
1208	filename.exe
2120	POjY.exe
2120	POjY.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
Token: SeDebugPrivilege	1208	filename.exe
Token: SeDebugPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe
Token: 33	2120	POjY.exe
Token: SeIncBasePriorityPrivilege	2120	POjY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1756 wrote to memory of 2064	1756	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2064	1756	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2064	1756	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe	29
PID 1756 wrote to memory of 2064	1756	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe	29
PID 2064 wrote to memory of 1208	2064	cmd.exe	31
PID 2064 wrote to memory of 1208	2064	cmd.exe	31
PID 2064 wrote to memory of 1208	2064	cmd.exe	31
PID 2064 wrote to memory of 1208	2064	cmd.exe	31
PID 1208 wrote to memory of 2740	1208	filename.exe	32
PID 1208 wrote to memory of 2740	1208	filename.exe	32
PID 1208 wrote to memory of 2740	1208	filename.exe	32
PID 1208 wrote to memory of 2740	1208	filename.exe	32
PID 2740 wrote to memory of 2692	2740	cmd.exe	34
PID 2740 wrote to memory of 2692	2740	cmd.exe	34
PID 2740 wrote to memory of 2692	2740	cmd.exe	34
PID 2740 wrote to memory of 2692	2740	cmd.exe	34
PID 1208 wrote to memory of 2664	1208	filename.exe	35
PID 1208 wrote to memory of 2664	1208	filename.exe	35
PID 1208 wrote to memory of 2664	1208	filename.exe	35
PID 1208 wrote to memory of 2664	1208	filename.exe	35
PID 2664 wrote to memory of 2392	2664	cmd.exe	37
PID 2664 wrote to memory of 2392	2664	cmd.exe	37
PID 2664 wrote to memory of 2392	2664	cmd.exe	37
PID 2664 wrote to memory of 2392	2664	cmd.exe	37
PID 1208 wrote to memory of 2868	1208	filename.exe	38
PID 1208 wrote to memory of 2868	1208	filename.exe	38
PID 1208 wrote to memory of 2868	1208	filename.exe	38
PID 1208 wrote to memory of 2868	1208	filename.exe	38
PID 2868 wrote to memory of 2564	2868	cmd.exe	40
PID 2868 wrote to memory of 2564	2868	cmd.exe	40
PID 2868 wrote to memory of 2564	2868	cmd.exe	40
PID 2868 wrote to memory of 2564	2868	cmd.exe	40
PID 1208 wrote to memory of 2040	1208	filename.exe	41
PID 1208 wrote to memory of 2040	1208	filename.exe	41
PID 1208 wrote to memory of 2040	1208	filename.exe	41
PID 1208 wrote to memory of 2040	1208	filename.exe	41
PID 2040 wrote to memory of 2704	2040	cmd.exe	43
PID 2040 wrote to memory of 2704	2040	cmd.exe	43
PID 2040 wrote to memory of 2704	2040	cmd.exe	43
PID 2040 wrote to memory of 2704	2040	cmd.exe	43
PID 1208 wrote to memory of 2556	1208	filename.exe	44
PID 1208 wrote to memory of 2556	1208	filename.exe	44
PID 1208 wrote to memory of 2556	1208	filename.exe	44
PID 1208 wrote to memory of 2556	1208	filename.exe	44
PID 2556 wrote to memory of 2592	2556	cmd.exe	46
PID 2556 wrote to memory of 2592	2556	cmd.exe	46
PID 2556 wrote to memory of 2592	2556	cmd.exe	46
PID 2556 wrote to memory of 2592	2556	cmd.exe	46
PID 1208 wrote to memory of 2660	1208	filename.exe	47
PID 1208 wrote to memory of 2660	1208	filename.exe	47
PID 1208 wrote to memory of 2660	1208	filename.exe	47
PID 1208 wrote to memory of 2660	1208	filename.exe	47
PID 2660 wrote to memory of 2028	2660	cmd.exe	49
PID 2660 wrote to memory of 2028	2660	cmd.exe	49
PID 2660 wrote to memory of 2028	2660	cmd.exe	49
PID 2660 wrote to memory of 2028	2660	cmd.exe	49
PID 1208 wrote to memory of 900	1208	filename.exe	50
PID 1208 wrote to memory of 900	1208	filename.exe	50
PID 1208 wrote to memory of 900	1208	filename.exe	50
PID 1208 wrote to memory of 900	1208	filename.exe	50
PID 900 wrote to memory of 1252	900	cmd.exe	52
PID 900 wrote to memory of 1252	900	cmd.exe	52
PID 900 wrote to memory of 1252	900	cmd.exe	52
PID 900 wrote to memory of 1252	900	cmd.exe	52

C:\Users\Admin\AppData\Local\Temp\df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df945f06a326dce494df8731b01f050a_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1756
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2064
- - C:\Users\Admin\AppData\Roaming\filename.exe
    "C:\Users\Admin\AppData\Roaming\filename.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1208
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2740
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2692
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2664
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\746728192.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2392
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2564
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\306299356.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2704
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2556
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        
        PID:2592
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2660
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1207371574.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2028
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:900
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        
        PID:1252
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      PID:1868
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\731488073.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3028
  - - C:\Users\Admin\AppData\Roaming\POjY.exe
      "C:\Users\Admin\AppData\Roaming\POjY.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2120
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2440
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2256
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\592794597.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2904
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2832
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1843171775.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2848
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:852
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1804
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\596760346.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1120
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1912
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2764
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1849204455.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\POjY.exe" "POjY.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        
        PID:1012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2864
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1540
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1021949063.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:980
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1316593490.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:952
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1984
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1027981743.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1176
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2068
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1509897924.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:376
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2400
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1324
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\76214741.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1620
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2992
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1396442996.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2032
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2364
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2108
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\150031567.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2756
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2788
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2548
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1402475676.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2656
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2588
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2552
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1884391857.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2124
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1992
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2936
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1408508356.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2884
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3028
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2564
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\42609319.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2720
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2460
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2065581356.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2160
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1772
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1006441681.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1144
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2888
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2784
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\530558180.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1760
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1108
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2292
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\593318324.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:944
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2288
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2036
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1075234505.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:276
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2280
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\479863396.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1648
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:976
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:928
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1724
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\961779577.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1764
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2464
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\66740039.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:308
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2244
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1692
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1155084011.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1532
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2812
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1616
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1637000192.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1028
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2272
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2732
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\741960654.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2956
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2672
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1994404763.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2196
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:992
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1518521262.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2520
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2920
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2592
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1252
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1649065552.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2060
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2212
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:968
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\754026014.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:544
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1484
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1235942195.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2856
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2840
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:640
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\760058694.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2228
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2984
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\471446947.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1360
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2192
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2872
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:112
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1484915840.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1172
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2132
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2416
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1847344413.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:880
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2312
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2420
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2141988840.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2476
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1536
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:888
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2472
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1314733448.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:536
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2064
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3024
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\419693910.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2516
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1739922165.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:548
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2908
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1264038664.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:588
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2820
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:856
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\368999126.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2352
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1400
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1140
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2208
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\499543416.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2044
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2604
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2812
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\794187843.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2256
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2068
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1296
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\924732133.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1984
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:980
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2288
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:308
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\29692595.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2720
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2204
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2932
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\930764813.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2436
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2680
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\454881312.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2156
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:836
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1264
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\929706560.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1392
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2844
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1712
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1292135133.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1404
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1584
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2128
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2344
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1654563706.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2332
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2012
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1084
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1744
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\340368131.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2964
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1856
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1980
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:572
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\463821488.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1996
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2248
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2500
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3000
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\945737669.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2496
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:876
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3008
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2948
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\821226059.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2744
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1600
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1909570031.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2900
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2584
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2244
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\244002565.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2728
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1532
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3036
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1720
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2027999386.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\746728192.xml

Filesize
1KB

MD5
08d520a39faa824bcdbc4f0383f6ef68

SHA1
5583d9e33ee361964c3ef12b8ba1e14046688713

SHA256
56d201e2394f54dddfb5fec9ac73af1b6e665a25ab5f1e8f16337d2ea35e2a75

SHA512
cfbb9132a87508a1a00d5665c1fee6d45f40737851f482518870a1e37c36b43c5ee0a8ba1c4dafa5b82e73c9a1504e431930a99c3c5cf7980aa220e0a56bc47c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt

Filesize
51B

MD5
caf291901b5a2ac5b9d257159fadd584

SHA1
ee3b0aa1c124e14eb70a0743d2bfdd7fe0864e72

SHA256
d51438b591c6bf60034ad690fc3e465e6f0d4d25a2b69b958ba55e266038d549

SHA512
72214cf88c943bdbf93d5d16bd2cad39ce6b9714b91cbb625c0abdbd53e6848d5fce092342377f31405b163365dbf18af1cb98e1e7da0e04ba9960af165373e6

Download Submit
\Users\Admin\AppData\Roaming\filename.exe

Filesize
1.4MB

MD5
df945f06a326dce494df8731b01f050a

SHA1
ce76fb5ea33e9d1c3067fdb5c80c70b3962d9199

SHA256
2118b9a82b361a965d3e839f8327f822b65576d6cc70e7767cf00f3a01123e19

SHA512
f766e40b13e1b3cb7a86d8c82e5b1cddf143369c3702b6c4343c8e4ce445bc0673881667874e25c864ebfff2f8776fb8a8abdae7351300fdeafe3235c0db0c96

Download Submit
memory/1208-12-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-11-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-13-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-19-0x0000000000950000-0x0000000000956000-memory.dmp

Filesize
24KB

Download
memory/1208-30-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1208-41-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-3-0x0000000000500000-0x0000000000504000-memory.dmp

Filesize
16KB

Download
memory/1756-10-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-0-0x0000000074851000-0x0000000074852000-memory.dmp

Filesize
4KB

Download
memory/1756-2-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download
memory/1756-1-0x0000000074850000-0x0000000074DFB000-memory.dmp

Filesize
5.7MB

Download