njrat | 2118b9a82b361a965d3e839f8327f822b65576d6cc70e7767cf00f3a01123e19

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
14-09-2024 05:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
Size

1.4MB
MD5

df945f06a326dce494df8731b01f050a
SHA1

ce76fb5ea33e9d1c3067fdb5c80c70b3962d9199
SHA256

2118b9a82b361a965d3e839f8327f822b65576d6cc70e7767cf00f3a01123e19
SHA512

f766e40b13e1b3cb7a86d8c82e5b1cddf143369c3702b6c4343c8e4ce445bc0673881667874e25c864ebfff2f8776fb8a8abdae7351300fdeafe3235c0db0c96
SSDEEP

24576:kXE054bS4ubvi1xJdb4kkoG3XX/cuSBNdlFUGS61XTi2B+/i76:kFybSnW7Jafo6cu0SGS4XTii+/k

Score

10^/10

njrat discovery evasion persistence privilege_escalation trojan

Malware Config

Signatures

njRAT/Bladabindi
Widely used RAT written in .NET.
trojan njrat

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

pid	Process
1604	netsh.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\Control Panel\International\Geo\Nation	filename.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7473a740ee91b3e5852f17361da1e49f.exe	POjY.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\7473a740ee91b3e5852f17361da1e49f.exe	POjY.exe

Executes dropped EXE 2 IoCs

pid	Process
2924	filename.exe
4204	POjY.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7473a740ee91b3e5852f17361da1e49f = "\"C:\\Users\\Admin\\AppData\\Roaming\\POjY.exe\" .."	POjY.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1302416131-1437503476-2806442725-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\7473a740ee91b3e5852f17361da1e49f = "\"C:\\Users\\Admin\\AppData\\Roaming\\POjY.exe\" .."	POjY.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3792	schtasks.exe
2900	schtasks.exe
3208	schtasks.exe
4920	schtasks.exe
4384	schtasks.exe
4328	schtasks.exe
2792	schtasks.exe
2932	schtasks.exe
3180	schtasks.exe
872	schtasks.exe
3632	schtasks.exe
2056	schtasks.exe
2192	schtasks.exe
1580	schtasks.exe
3180	schtasks.exe
4100	schtasks.exe
1016	schtasks.exe
868	schtasks.exe
4372	schtasks.exe
624	schtasks.exe
1968	schtasks.exe
4708	schtasks.exe
4268	schtasks.exe
244	schtasks.exe
2816	schtasks.exe
1124	schtasks.exe
1808	schtasks.exe
2688	schtasks.exe
440	schtasks.exe
1724	schtasks.exe
1280	schtasks.exe
1612	schtasks.exe
892	schtasks.exe
3032	schtasks.exe
776	schtasks.exe
1152	schtasks.exe
624	schtasks.exe
1280	schtasks.exe
948	schtasks.exe
2688	schtasks.exe
4940	schtasks.exe
4860	schtasks.exe
2460	schtasks.exe
1616	schtasks.exe
2000	schtasks.exe
4692	schtasks.exe
2840	schtasks.exe
4012	schtasks.exe
3696	schtasks.exe
688	schtasks.exe
2456	schtasks.exe
2932	schtasks.exe
3676	schtasks.exe
1572	schtasks.exe
2232	schtasks.exe
1040	schtasks.exe
644	schtasks.exe
2812	schtasks.exe
2508	schtasks.exe
1852	schtasks.exe
4040	schtasks.exe
2768	schtasks.exe
4776	schtasks.exe
4512	schtasks.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
184	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
184	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
2924	filename.exe
2924	filename.exe
4204	POjY.exe
4204	POjY.exe

Suspicious use of AdjustPrivilegeToken 35 IoCs

description	pid	Process
Token: SeDebugPrivilege	184	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
Token: SeDebugPrivilege	2924	filename.exe
Token: SeDebugPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe
Token: 33	4204	POjY.exe
Token: SeIncBasePriorityPrivilege	4204	POjY.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 184 wrote to memory of 4032	184	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe	85
PID 184 wrote to memory of 4032	184	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe	85
PID 184 wrote to memory of 4032	184	df945f06a326dce494df8731b01f050a_JaffaCakes118.exe	85
PID 4032 wrote to memory of 2924	4032	cmd.exe	87
PID 4032 wrote to memory of 2924	4032	cmd.exe	87
PID 4032 wrote to memory of 2924	4032	cmd.exe	87
PID 2924 wrote to memory of 672	2924	filename.exe	89
PID 2924 wrote to memory of 672	2924	filename.exe	89
PID 2924 wrote to memory of 672	2924	filename.exe	89
PID 672 wrote to memory of 4780	672	cmd.exe	91
PID 672 wrote to memory of 4780	672	cmd.exe	91
PID 672 wrote to memory of 4780	672	cmd.exe	91
PID 2924 wrote to memory of 2980	2924	filename.exe	92
PID 2924 wrote to memory of 2980	2924	filename.exe	92
PID 2924 wrote to memory of 2980	2924	filename.exe	92
PID 2980 wrote to memory of 4372	2980	cmd.exe	94
PID 2980 wrote to memory of 4372	2980	cmd.exe	94
PID 2980 wrote to memory of 4372	2980	cmd.exe	94
PID 2924 wrote to memory of 2248	2924	filename.exe	95
PID 2924 wrote to memory of 2248	2924	filename.exe	95
PID 2924 wrote to memory of 2248	2924	filename.exe	95
PID 2248 wrote to memory of 1084	2248	cmd.exe	97
PID 2248 wrote to memory of 1084	2248	cmd.exe	97
PID 2248 wrote to memory of 1084	2248	cmd.exe	97
PID 2924 wrote to memory of 4892	2924	filename.exe	98
PID 2924 wrote to memory of 4892	2924	filename.exe	98
PID 2924 wrote to memory of 4892	2924	filename.exe	98
PID 4892 wrote to memory of 1280	4892	cmd.exe	100
PID 4892 wrote to memory of 1280	4892	cmd.exe	100
PID 4892 wrote to memory of 1280	4892	cmd.exe	100
PID 2924 wrote to memory of 2232	2924	filename.exe	103
PID 2924 wrote to memory of 2232	2924	filename.exe	103
PID 2924 wrote to memory of 2232	2924	filename.exe	103
PID 2232 wrote to memory of 744	2232	cmd.exe	105
PID 2232 wrote to memory of 744	2232	cmd.exe	105
PID 2232 wrote to memory of 744	2232	cmd.exe	105
PID 2924 wrote to memory of 2292	2924	filename.exe	106
PID 2924 wrote to memory of 2292	2924	filename.exe	106
PID 2924 wrote to memory of 2292	2924	filename.exe	106
PID 2292 wrote to memory of 4384	2292	cmd.exe	108
PID 2292 wrote to memory of 4384	2292	cmd.exe	108
PID 2292 wrote to memory of 4384	2292	cmd.exe	108
PID 2924 wrote to memory of 3180	2924	filename.exe	111
PID 2924 wrote to memory of 3180	2924	filename.exe	111
PID 2924 wrote to memory of 3180	2924	filename.exe	111
PID 3180 wrote to memory of 2736	3180	cmd.exe	113
PID 3180 wrote to memory of 2736	3180	cmd.exe	113
PID 3180 wrote to memory of 2736	3180	cmd.exe	113
PID 2924 wrote to memory of 2608	2924	filename.exe	114
PID 2924 wrote to memory of 2608	2924	filename.exe	114
PID 2924 wrote to memory of 2608	2924	filename.exe	114
PID 2608 wrote to memory of 644	2608	cmd.exe	116
PID 2608 wrote to memory of 644	2608	cmd.exe	116
PID 2608 wrote to memory of 644	2608	cmd.exe	116
PID 2924 wrote to memory of 4204	2924	filename.exe	118
PID 2924 wrote to memory of 4204	2924	filename.exe	118
PID 2924 wrote to memory of 4204	2924	filename.exe	118
PID 4204 wrote to memory of 4948	4204	POjY.exe	119
PID 4204 wrote to memory of 4948	4204	POjY.exe	119
PID 4204 wrote to memory of 4948	4204	POjY.exe	119
PID 4948 wrote to memory of 916	4948	cmd.exe	121
PID 4948 wrote to memory of 916	4948	cmd.exe	121
PID 4948 wrote to memory of 916	4948	cmd.exe	121
PID 4204 wrote to memory of 4988	4204	POjY.exe	122

C:\Users\Admin\AppData\Local\Temp\df945f06a326dce494df8731b01f050a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\df945f06a326dce494df8731b01f050a_JaffaCakes118.exe"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:184
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4032
- - C:\Users\Admin\AppData\Roaming\filename.exe
    "C:\Users\Admin\AppData\Roaming\filename.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2924
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:672
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        
        PID:4780
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2980
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1376985433.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4372
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2248
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1084
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4892
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\217732131.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1280
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2232
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:744
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2292
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\547999336.xml"
        5⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4384
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3180
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        
        PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2608
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\690994787.xml"
        5⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:644
  - - C:\Users\Admin\AppData\Roaming\POjY.exe
      "C:\Users\Admin\AppData\Roaming\POjY.exe"
      4⤵
      Drops startup file
      Executes dropped EXE
      Adds Run key to start application
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4204
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4948
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4988
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1665211379.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3624
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:216
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1836
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\819808372.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:948
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:5048
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:676
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2508
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\5004141.xml"
        6⤵
        
        PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4196
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:5076
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\403055492.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2812
    - - C:\Windows\SysWOW64\netsh.exe
        
        netsh firewall add allowedprogram "C:\Users\Admin\AppData\Roaming\POjY.exe" "POjY.exe" ENABLE
        5⤵
        Modifies Windows Firewall
        Event Triggered Execution: Netsh Helper DLL
        System Location Discovery: System Language Discovery
        
        PID:1604
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2196
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4312
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3192
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1923006662.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1152
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4444
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:5112
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:864
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1108202431.xml"
        6⤵
        
        PID:2700
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3196
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4128
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\480669954.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3868
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3244
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\272293514.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3676
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2080
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4860
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1860028830.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3320
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4764
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2003024281.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4100
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1416
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4072
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1375491804.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4104
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:5032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1167115364.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2508
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:628
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:780
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4576
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\188210996.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1152
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3816
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1708162166.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4328
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:560
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3496
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1499785726.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1280
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4108
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3544
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3968
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\265825458.xml"
        6⤵
        
        PID:3676
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4796
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2924
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:548
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\57449018.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1088
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2228
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2600
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1996556225.xml"
        6⤵
        
        PID:1180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2080
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4032
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2652
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1017651857.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1612
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2132
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3976
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1016
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\809275417.xml"
        6⤵
        
        PID:916
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2812
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2200
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3436
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1722798796.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1852
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:624
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1514422356.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1124
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3252
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2000
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\535517988.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1968
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2016
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2724
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\327141548.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1616
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:672
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:5092
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4788
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\470136999.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3632
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4796
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4216
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1032288487.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:3792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4388
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4228
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\472540156.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4924
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:5020
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4876
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\615535607.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4708
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4972
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2600
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\407159167.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1572
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3084
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3652
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4020
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\969310655.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4932
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3276
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\760934215.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2456
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:748
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3952
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1404
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\552557775.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4268
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3480
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1904
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4996
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\344181335.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4552
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:752
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1152
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\487176786.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2712
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3748
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4604
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1655756065.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2284
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4588
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4108
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1798751516.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3632
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4784
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1292
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3568
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1590375076.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2768
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4920
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4832
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4540
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\962842599.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2688
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:5020
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4396
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2040
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1360893950.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4692
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4060
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4296
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3504
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\733361473.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:244
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1348
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2104
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2600
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\105828996.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4940
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1660
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1492
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1625780166.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4776
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5056
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4960
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1228
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\227719761.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4512
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4876
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1420
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2056
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1747670931.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:624
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3648
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1428
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3924
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1120138454.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2232
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4328
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3480
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1304
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1263133905.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2840
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:5112
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4596
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1600
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2012557147.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:5092
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4752
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1385024670.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1040
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4884
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2536
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1504
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2134447912.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:892
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2684
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2192
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2688
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1506915435.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:440
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3296
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1220
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1820
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2069066923.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4012
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3960
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4972
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4104
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\319634627.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1016
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3568
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:816
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4800
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\43474041.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1808
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4036
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:408
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3240
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\792897283.xml"
        6⤵
        
        PID:1356
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3276
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4932
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:924
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1542320525.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3696
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3816
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:3444
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:972
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\914788048.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2056
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:644
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4076
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3160
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\287255571.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2900
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2892
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1472
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2376
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1036678813.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3208
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2792
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3180
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2012
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\409146336.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:688
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:2304
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4956
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:1408
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\200769896.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4860
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4764
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:2684
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3288
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1720721066.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4920
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2228
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1176
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4820
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1863716517.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1580
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:3416
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4988
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:860
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\114284221.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:2460
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:428
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:4060
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:5028
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1634235391.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1724
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:736
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:3224
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:4356
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1006702914.xml"
        6⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:868
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        
        PID:5116
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        6⤵
        
        PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:3264
      - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\379170437.xml"
        6⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:872

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1376985433.xml

Filesize
1KB

MD5
83c77904ccfd841ee7fc52ba808a8cea

SHA1
197b113c907cfd6d1b66414b9c589a8ad56d5605

SHA256
e87a4f53f2bfd8be12de38fcb329086ac0e3695efed3d7f304c8640baed5b935

SHA512
8762b478684bde14a326985b7beff81dfeead8119633e2dbf6b3f1b6be2a11f078680edc424ac3a7187074158100d6cef3e3d39ced9c221230b3e92b9e3bf837

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt

Filesize
51B

MD5
caf291901b5a2ac5b9d257159fadd584

SHA1
ee3b0aa1c124e14eb70a0743d2bfdd7fe0864e72

SHA256
d51438b591c6bf60034ad690fc3e465e6f0d4d25a2b69b958ba55e266038d549

SHA512
72214cf88c943bdbf93d5d16bd2cad39ce6b9714b91cbb625c0abdbd53e6848d5fce092342377f31405b163365dbf18af1cb98e1e7da0e04ba9960af165373e6

Download Submit
C:\Users\Admin\AppData\Roaming\filename.exe

Filesize
1.4MB

MD5
df945f06a326dce494df8731b01f050a

SHA1
ce76fb5ea33e9d1c3067fdb5c80c70b3962d9199

SHA256
2118b9a82b361a965d3e839f8327f822b65576d6cc70e7767cf00f3a01123e19

SHA512
f766e40b13e1b3cb7a86d8c82e5b1cddf143369c3702b6c4343c8e4ce445bc0673881667874e25c864ebfff2f8776fb8a8abdae7351300fdeafe3235c0db0c96

Download Submit
memory/184-0-0x0000000074982000-0x0000000074983000-memory.dmp

Filesize
4KB

Download
memory/184-1-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/184-2-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/184-8-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/2924-9-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/2924-10-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download
memory/2924-35-0x0000000074980000-0x0000000074F31000-memory.dmp

Filesize
5.7MB

Download