hawkeye | 4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b

General

Target

c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
Size

705KB
MD5

c515a556d7cc1fb7a476fb0fb1aadaaa
SHA1

c5690d2abee36e06c2c40dceba693bc7eeeda7be
SHA256

4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b
SHA512

ceb6047816345ad1767698982d448d48accc1e9b22f0fb7ca9c9233444523531b9ef672041dc73ce6a6b6f22fd7263ca882d6fb19288d0dd726cb7c0eb94a1a2
SSDEEP

12288:0J0unggMGIwHJo8spfSPFWHw2Y8ZKk8mZfurZB+n3mfYBkU4f5YNmmh8o:luoG9priSPFWHw2Y8ZK5d22fYBkU4f5q

Score

10^/10

hawkeye netwire botnet collection discovery keylogger persistence rat spyware stealer trojan upx

Malware Config

Extracted

Credentials

Protocol: smtp
Host:
smtp.gmail.com
Port:
587
Username:
[email protected]
Password:
yoqmiiwhxyjcorck

Extracted

Family

netwire

C2

greatking.freeddns.org:3362

Attributes

activex_autorun
false
copy_executable
true
delete_original
false
host_id
HostId-%Rand%
install_path
%AppData%\Install\Host.exe
keylogger_dir
%AppData%\Logs\
lock_executable
false
offline_keylogger
true
password
Password
registry_autorun
true
startup_name
NetWire
use_mutex
false

Signatures

HawkEye
HawkEye is a malware kit that has seen continuous development since at least 2013.
keylogger trojan stealer spyware hawkeye

NetWire RAT payload 6 IoCs

rat

Processes:

resource	yara_rule
behavioral1/memory/4060-52-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral1/memory/764-96-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral1/memory/4536-137-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral1/memory/4876-386-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral1/memory/4420-526-0x0000000000400000-0x0000000000423000-memory.dmp	netwire
behavioral1/memory/5004-3037-0x0000000000400000-0x0000000000423000-memory.dmp	netwire

Netwire
Netwire is a RAT with main functionalities focused password stealing and keylogging, but also includes remote control capabilities as well.
botnet stealer netwire

Detected Nirsoft tools 3 IoCs

Free utilities often used by attackers which can steal passwords, product keys, etc.

Processes:

resource	yara_rule
behavioral1/memory/1452-246-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1452-248-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft
behavioral1/memory/1452-245-0x0000000000400000-0x000000000041C000-memory.dmp	Nirsoft

NirSoft MailPassView 3 IoCs

Password recovery tool for various email clients

Processes:

resource	yara_rule
behavioral1/memory/1452-246-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1452-248-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView
behavioral1/memory/1452-245-0x0000000000400000-0x000000000041C000-memory.dmp	MailPassView

Checks computer location settings 2 TTPs 64 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

Host.exeApp.exeApp.exeApp.exeApp.exeApp.exeHost.exeHost.exeHost.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeHost.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeHost.exeHost.exeHost.exeHost.exeApp.exeHost.exeHost.exeHost.exeApp.exeApp.exeHost.exeHost.exeApp.exeApp.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeHost.exeApp.exeApp.exeApp.exeApp.exeHost.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	App.exe
Key value queried	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Control Panel\International\Geo\Nation	Host.exe

Executes dropped EXE 64 IoCs

Processes:

coded.exeApp.execoded.exeWindows Update.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.execoded.exeApp.exeHost.execoded.exeApp.exe

pid	process
544	coded.exe
2936	App.exe
4308	coded.exe
1336	Windows Update.exe
4060	App.exe
4148	Host.exe
4300	coded.exe
4592	App.exe
5096	coded.exe
764	App.exe
4104	Host.exe
3360	coded.exe
64	App.exe
3076	coded.exe
4536	App.exe
4656	Host.exe
448	coded.exe
4112	App.exe
1048	coded.exe
3320	App.exe
4484	Host.exe
1920	coded.exe
808	App.exe
2372	coded.exe
2544	App.exe
1816	Host.exe
1040	coded.exe
3360	App.exe
4356	coded.exe
540	App.exe
2368	Host.exe
1316	coded.exe
4956	App.exe
4060	coded.exe
3372	App.exe
2452	Host.exe
4812	coded.exe
1928	App.exe
2940	coded.exe
2156	App.exe
2328	Host.exe
1864	coded.exe
4732	App.exe
4988	coded.exe
3504	App.exe
4420	Host.exe
4644	coded.exe
4456	App.exe
5020	coded.exe
4992	App.exe
1884	App.exe
468	Host.exe
2408	coded.exe
840	App.exe
3016	coded.exe
4876	App.exe
3636	Host.exe
4616	coded.exe
1176	App.exe
3368	coded.exe
4952	App.exe
1936	Host.exe
2968	coded.exe
1420	App.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Accesses Microsoft Outlook accounts 1 TTPs 1 IoCs

collection

Email Collection

T1114

Processes:

vbc.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\Software\Microsoft\Office\Outlook\OMI Account Manager\Accounts	vbc.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

Windows Update.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Update = "C:\\Users\\Admin\\AppData\\Roaming\\WindowsUpdate.exe"	Windows Update.exe

Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

15 checkip.dyndns.org

flow	ioc
15	checkip.dyndns.org

Suspicious use of SetThreadContext 64 IoCs

Processes:

App.exeApp.exeApp.exeApp.exeApp.exeWindows Update.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exeApp.exe

description	pid	process	target process
PID 2936 set thread context of 4060	2936	App.exe	cmd.exe
PID 4592 set thread context of 764	4592	App.exe	schtasks.exe
PID 64 set thread context of 4536	64	App.exe	App.exe
PID 4112 set thread context of 3320	4112	App.exe	App.exe
PID 808 set thread context of 2544	808	App.exe	App.exe
PID 1336 set thread context of 1452	1336	Windows Update.exe	vbc.exe
PID 3360 set thread context of 540	3360	App.exe	Conhost.exe
PID 4956 set thread context of 3372	4956	App.exe	Conhost.exe
PID 1928 set thread context of 2156	1928	App.exe	App.exe
PID 4732 set thread context of 3504	4732	App.exe	cmd.exe
PID 4456 set thread context of 1884	4456	App.exe	TrustedInstaller.exe
PID 840 set thread context of 4876	840	App.exe	App.exe
PID 1176 set thread context of 4952	1176	App.exe	App.exe
PID 1420 set thread context of 3304	1420	App.exe	App.exe
PID 4604 set thread context of 2460	4604	App.exe	App.exe
PID 4648 set thread context of 4984	4648	App.exe	schtasks.exe
PID 1336 set thread context of 4756	1336	Windows Update.exe	vbc.exe
PID 4088 set thread context of 4420	4088	App.exe	App.exe
PID 5096 set thread context of 1492	5096	App.exe	App.exe
PID 1188 set thread context of 792	1188	App.exe	App.exe
PID 3464 set thread context of 5104	3464	App.exe	App.exe
PID 1680 set thread context of 3368	1680	App.exe	App.exe
PID 2856 set thread context of 3220	2856	App.exe	App.exe
PID 1724 set thread context of 964	1724	App.exe	App.exe
PID 1216 set thread context of 1628	1216	App.exe	App.exe
PID 4828 set thread context of 764	4828	App.exe	App.exe
PID 452 set thread context of 2912	452	App.exe	App.exe
PID 212 set thread context of 1316	212	App.exe	App.exe
PID 4320 set thread context of 2024	4320	App.exe	cmd.exe
PID 4532 set thread context of 692	4532	App.exe	App.exe
PID 3520 set thread context of 4484	3520	App.exe	App.exe
PID 808 set thread context of 3340	808	App.exe	App.exe
PID 872 set thread context of 4672	872	App.exe	App.exe
PID 704 set thread context of 4044	704	App.exe	App.exe
PID 748 set thread context of 4476	748	App.exe	App.exe
PID 4656 set thread context of 4148	4656	App.exe	App.exe
PID 4120 set thread context of 4792	4120	App.exe	App.exe
PID 3056 set thread context of 3220	3056	App.exe	App.exe
PID 212 set thread context of 4304	212	App.exe	App.exe
PID 1404 set thread context of 5084	1404	App.exe	schtasks.exe
PID 3308 set thread context of 5052	3308	App.exe	App.exe
PID 1928 set thread context of 4620	1928	App.exe	App.exe
PID 4120 set thread context of 740	4120	App.exe	App.exe
PID 4500 set thread context of 2436	4500	App.exe	App.exe
PID 5088 set thread context of 2288	5088	App.exe	App.exe
PID 3160 set thread context of 1076	3160	App.exe	App.exe
PID 1664 set thread context of 2360	1664	App.exe	App.exe
PID 3268 set thread context of 4724	3268	App.exe	App.exe
PID 4448 set thread context of 3776	4448	App.exe	App.exe
PID 5072 set thread context of 4668	5072	App.exe	App.exe
PID 3916 set thread context of 1392	3916	App.exe	App.exe
PID 2868 set thread context of 4400	2868	App.exe	App.exe
PID 3684 set thread context of 4484	3684	App.exe	App.exe
PID 3484 set thread context of 4964	3484	App.exe	App.exe
PID 4060 set thread context of 3572	4060	App.exe	App.exe
PID 4716 set thread context of 232	4716	App.exe	App.exe
PID 60 set thread context of 5048	60	App.exe	App.exe
PID 3504 set thread context of 2956	3504	App.exe	App.exe
PID 4068 set thread context of 4716	4068	App.exe	App.exe
PID 900 set thread context of 1688	900	App.exe	App.exe
PID 4848 set thread context of 4400	4848	App.exe	App.exe
PID 3148 set thread context of 4256	3148	App.exe	App.exe
PID 3260 set thread context of 4868	3260	App.exe	App.exe
PID 2140 set thread context of 4292	2140	App.exe	App.exe

UPX packed file 13 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/4060-50-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/4060-52-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/4060-48-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/764-95-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/764-96-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/4536-137-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/4536-136-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/4876-386-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/4876-385-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/4420-526-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/4420-525-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/5004-3037-0x0000000000400000-0x0000000000423000-memory.dmp	upx
behavioral1/memory/5004-3031-0x0000000000400000-0x0000000000423000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

coded.exeApp.exeApp.exeschtasks.exeHost.execmd.execmd.execmd.execoded.exeHost.exeApp.execmd.exec515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exeApp.exeschtasks.exeschtasks.execoded.execoded.exeschtasks.exeschtasks.execmd.execmd.exeApp.exeApp.exeschtasks.execoded.exeApp.exeApp.exeApp.execmd.execoded.exeApp.exeHost.exeschtasks.exeApp.exeHost.exeschtasks.execmd.execoded.exeApp.execoded.execmd.exeApp.exeschtasks.exeApp.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Host.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	coded.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	App.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 64 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

Processes:

schtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exeschtasks.exe

pid	process
5116	schtasks.exe
456	schtasks.exe
1036	schtasks.exe
3476	schtasks.exe
1004
4900	schtasks.exe
5072	schtasks.exe
3320	schtasks.exe
388	schtasks.exe
4740	schtasks.exe
232	schtasks.exe
3744
5048
1912
2584
916	schtasks.exe
4940	schtasks.exe
3776	schtasks.exe
3992
3476
64	schtasks.exe
516	schtasks.exe
4312	schtasks.exe
2936
2760	schtasks.exe
3972	schtasks.exe
4980	schtasks.exe
1936	schtasks.exe
2372	schtasks.exe
5048
1392
4432
2996
1972	schtasks.exe
1940	schtasks.exe
4740	schtasks.exe
4448	schtasks.exe
1984
228
4224	schtasks.exe
4956
4656	schtasks.exe
4812	schtasks.exe
2160	schtasks.exe
3452	schtasks.exe
1492	schtasks.exe
2368
688	schtasks.exe
5068	schtasks.exe
4988	schtasks.exe
3776	schtasks.exe
4216	schtasks.exe
764
4304	schtasks.exe
2496	schtasks.exe
1868	schtasks.exe
3228	schtasks.exe
3700	schtasks.exe
4016
4752
1544	schtasks.exe
3160
4748
1176	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exe

pid	process
224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
2936	App.exe
2936	App.exe
4148	Host.exe
4148	Host.exe
4592	App.exe
4592	App.exe
4104	Host.exe
4104	Host.exe
64	App.exe
64	App.exe
4656	Host.exe
4656	Host.exe
4112	App.exe
4112	App.exe
4484	Host.exe
4484	Host.exe
808	App.exe
808	App.exe
1816	Host.exe
1816	Host.exe
3360	App.exe
3360	App.exe
2368	Host.exe
2368	Host.exe
4956	App.exe
4956	App.exe
2452	Host.exe
2452	Host.exe
1928	App.exe
1928	App.exe
2328	Host.exe
2328	Host.exe
4732	App.exe
4732	App.exe
4420	Host.exe
4420	Host.exe
4456	App.exe
4456	App.exe
468	Host.exe
468	Host.exe
840	App.exe
840	App.exe
3636	Host.exe
3636	Host.exe
1176	App.exe
1176	App.exe
1936	Host.exe
1936	Host.exe
1420	App.exe
1420	App.exe
5040	Host.exe
5040	Host.exe
4604	App.exe
4604	App.exe
2344	Host.exe
2344	Host.exe
4648	App.exe
4648	App.exe
1724	Host.exe
1724	Host.exe
4088	App.exe
4088	App.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exeApp.exeHost.exeApp.exeWindows Update.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exeApp.exeHost.exe

description	pid	process
Token: SeDebugPrivilege	224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
Token: SeDebugPrivilege	2936	App.exe
Token: SeDebugPrivilege	4148	Host.exe
Token: SeDebugPrivilege	4592	App.exe
Token: SeDebugPrivilege	1336	Windows Update.exe
Token: SeDebugPrivilege	4104	Host.exe
Token: SeDebugPrivilege	64	App.exe
Token: SeDebugPrivilege	4656	Host.exe
Token: SeDebugPrivilege	4112	App.exe
Token: SeDebugPrivilege	4484	Host.exe
Token: SeDebugPrivilege	808	App.exe
Token: SeDebugPrivilege	1816	Host.exe
Token: SeDebugPrivilege	3360	App.exe
Token: SeDebugPrivilege	2368	Host.exe
Token: SeDebugPrivilege	4956	App.exe
Token: SeDebugPrivilege	2452	Host.exe
Token: SeDebugPrivilege	1928	App.exe
Token: SeDebugPrivilege	2328	Host.exe
Token: SeDebugPrivilege	4732	App.exe
Token: SeDebugPrivilege	4420	Host.exe
Token: SeDebugPrivilege	4456	App.exe
Token: SeDebugPrivilege	468	Host.exe
Token: SeDebugPrivilege	840	App.exe
Token: SeDebugPrivilege	3636	Host.exe
Token: SeDebugPrivilege	1176	App.exe
Token: SeDebugPrivilege	1936	Host.exe
Token: SeDebugPrivilege	1420	App.exe
Token: SeDebugPrivilege	5040	Host.exe
Token: SeDebugPrivilege	4604	App.exe
Token: SeDebugPrivilege	2344	Host.exe
Token: SeDebugPrivilege	4648	App.exe
Token: SeDebugPrivilege	1724	Host.exe
Token: SeDebugPrivilege	4088	App.exe
Token: SeDebugPrivilege	1508	Host.exe
Token: SeDebugPrivilege	5096	App.exe
Token: SeDebugPrivilege	1544	Host.exe
Token: SeDebugPrivilege	1188	App.exe
Token: SeDebugPrivilege	3560	Host.exe
Token: SeDebugPrivilege	3464	App.exe
Token: SeDebugPrivilege	4184	Host.exe
Token: SeDebugPrivilege	1680	App.exe
Token: SeDebugPrivilege	3376	Host.exe
Token: SeDebugPrivilege	2856	App.exe
Token: SeDebugPrivilege	4588	Host.exe
Token: SeDebugPrivilege	1724	App.exe
Token: SeDebugPrivilege	4400	Host.exe
Token: SeDebugPrivilege	1216	App.exe
Token: SeDebugPrivilege	1588	Host.exe
Token: SeDebugPrivilege	4828	App.exe
Token: SeDebugPrivilege	4300	Host.exe
Token: SeDebugPrivilege	452	App.exe
Token: SeDebugPrivilege	4388	Host.exe
Token: SeDebugPrivilege	212	App.exe
Token: SeDebugPrivilege	700	Host.exe
Token: SeDebugPrivilege	4320	App.exe
Token: SeDebugPrivilege	1076	Host.exe
Token: SeDebugPrivilege	4532	App.exe
Token: SeDebugPrivilege	1624	Host.exe
Token: SeDebugPrivilege	3520	App.exe
Token: SeDebugPrivilege	864	Host.exe
Token: SeDebugPrivilege	808	App.exe
Token: SeDebugPrivilege	3244	Host.exe
Token: SeDebugPrivilege	872	App.exe
Token: SeDebugPrivilege	1632	Host.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

Windows Update.exe

pid process

1336 Windows Update.exe

pid	process
1336	Windows Update.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.execmd.exeApp.execmd.execmd.execoded.exeApp.exeHost.execmd.exeApp.execmd.execmd.exe

description	pid	process	target process
PID 224 wrote to memory of 544	224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	coded.exe
PID 224 wrote to memory of 544	224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	coded.exe
PID 224 wrote to memory of 544	224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	coded.exe
PID 224 wrote to memory of 2760	224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	schtasks.exe
PID 224 wrote to memory of 2760	224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	schtasks.exe
PID 224 wrote to memory of 2760	224	c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe	schtasks.exe
PID 2760 wrote to memory of 2936	2760	cmd.exe	cmd.exe
PID 2760 wrote to memory of 2936	2760	cmd.exe	cmd.exe
PID 2760 wrote to memory of 2936	2760	cmd.exe	cmd.exe
PID 2936 wrote to memory of 4308	2936	App.exe	coded.exe
PID 2936 wrote to memory of 4308	2936	App.exe	coded.exe
PID 2936 wrote to memory of 4308	2936	App.exe	coded.exe
PID 2936 wrote to memory of 1676	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 1676	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 1676	2936	App.exe	cmd.exe
PID 1676 wrote to memory of 1712	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 1712	1676	cmd.exe	schtasks.exe
PID 1676 wrote to memory of 1712	1676	cmd.exe	schtasks.exe
PID 2936 wrote to memory of 2096	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 2096	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 2096	2936	App.exe	cmd.exe
PID 2096 wrote to memory of 3936	2096	cmd.exe	schtasks.exe
PID 2096 wrote to memory of 3936	2096	cmd.exe	schtasks.exe
PID 2096 wrote to memory of 3936	2096	cmd.exe	schtasks.exe
PID 544 wrote to memory of 1336	544	coded.exe	Windows Update.exe
PID 544 wrote to memory of 1336	544	coded.exe	Windows Update.exe
PID 544 wrote to memory of 1336	544	coded.exe	Windows Update.exe
PID 2936 wrote to memory of 4060	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 4060	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 4060	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 4060	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 4060	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 4060	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 4060	2936	App.exe	cmd.exe
PID 2936 wrote to memory of 4060	2936	App.exe	cmd.exe
PID 4060 wrote to memory of 4148	4060	App.exe	cmd.exe
PID 4060 wrote to memory of 4148	4060	App.exe	cmd.exe
PID 4060 wrote to memory of 4148	4060	App.exe	cmd.exe
PID 4148 wrote to memory of 4300	4148	Host.exe	coded.exe
PID 4148 wrote to memory of 4300	4148	Host.exe	coded.exe
PID 4148 wrote to memory of 4300	4148	Host.exe	coded.exe
PID 4148 wrote to memory of 4124	4148	Host.exe	schtasks.exe
PID 4148 wrote to memory of 4124	4148	Host.exe	schtasks.exe
PID 4148 wrote to memory of 4124	4148	Host.exe	schtasks.exe
PID 4124 wrote to memory of 4592	4124	cmd.exe	App.exe
PID 4124 wrote to memory of 4592	4124	cmd.exe	App.exe
PID 4124 wrote to memory of 4592	4124	cmd.exe	App.exe
PID 4592 wrote to memory of 5096	4592	App.exe	cmd.exe
PID 4592 wrote to memory of 5096	4592	App.exe	cmd.exe
PID 4592 wrote to memory of 5096	4592	App.exe	cmd.exe
PID 4592 wrote to memory of 1408	4592	App.exe	cmd.exe
PID 4592 wrote to memory of 1408	4592	App.exe	cmd.exe
PID 4592 wrote to memory of 1408	4592	App.exe	cmd.exe
PID 1408 wrote to memory of 740	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 740	1408	cmd.exe	schtasks.exe
PID 1408 wrote to memory of 740	1408	cmd.exe	schtasks.exe
PID 4592 wrote to memory of 4616	4592	App.exe	coded.exe
PID 4592 wrote to memory of 4616	4592	App.exe	coded.exe
PID 4592 wrote to memory of 4616	4592	App.exe	coded.exe
PID 4616 wrote to memory of 2460	4616	cmd.exe	schtasks.exe
PID 4616 wrote to memory of 2460	4616	cmd.exe	schtasks.exe
PID 4616 wrote to memory of 2460	4616	cmd.exe	schtasks.exe
PID 4592 wrote to memory of 764	4592	App.exe	schtasks.exe
PID 4592 wrote to memory of 764	4592	App.exe	schtasks.exe

C:\Users\Admin\AppData\Local\Temp\c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\c515a556d7cc1fb7a476fb0fb1aadaaa_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224
- C:\ProgramData\coded.exe
  "C:\ProgramData\coded.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:544
- - C:\Users\Admin\AppData\Roaming\Windows Update.exe
    "C:\Users\Admin\AppData\Roaming\Windows Update.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:1336
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\holdermail.txt"
      4⤵
      Accesses Microsoft Outlook accounts
      PID:1452
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /stext "C:\Users\Admin\AppData\Local\Temp\\holderwb.txt"
      4⤵
      PID:4756
- C:\Windows\SysWOW64\cmd.exe
  "cmd"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Users\Admin\AppData\Roaming\App.exe
    "C:\Users\Admin\AppData\Roaming\App.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2936
  - - C:\ProgramData\coded.exe
      "C:\ProgramData\coded.exe"
      4⤵
      Executes dropped EXE
      PID:4308
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1676
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        5⤵
        
        PID:1712
  - - C:\Windows\SysWOW64\cmd.exe
      "cmd"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2096
    - - C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\74904793.xml"
        5⤵
        
        PID:3936
  - - C:\Users\Admin\AppData\Roaming\App.exe
      "C:\Users\Admin\AppData\Roaming\App.exe "
      4⤵
      Executes dropped EXE
      Suspicious use of WriteProcessMemory
      PID:4060
    - - C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        5⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4148
      - C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        6⤵
        Executes dropped EXE
        
        PID:4300
      - C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        6⤵
        Suspicious use of WriteProcessMemory
        
        PID:4124
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        7⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4592
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        8⤵
        Executes dropped EXE
        
        PID:5096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:1408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        9⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        8⤵
        Suspicious use of WriteProcessMemory
        
        PID:4616
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\255253727.xml"
        9⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        9⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4104
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        10⤵
        Executes dropped EXE
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        10⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        11⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:64
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        12⤵
        Executes dropped EXE
        
        PID:3076
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        13⤵
        
        PID:4840
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        12⤵
        
        PID:4072
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2051533596.xml"
        13⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2760
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        12⤵
        Executes dropped EXE
        
        PID:4536
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        13⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4656
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        14⤵
        Executes dropped EXE
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        14⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        15⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4112
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        16⤵
        Executes dropped EXE
        
        PID:1048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        17⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        16⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\353636649.xml"
        17⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:688
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        16⤵
        Executes dropped EXE
        
        PID:3320
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        17⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4484
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        18⤵
        Executes dropped EXE
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        18⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        19⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        20⤵
        Executes dropped EXE
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:5096
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        21⤵
        
        PID:4312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        20⤵
        
        PID:4148
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2112394922.xml"
        21⤵
        
        PID:1756
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        20⤵
        Executes dropped EXE
        
        PID:2544
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        21⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1816
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        22⤵
        Executes dropped EXE
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        22⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        23⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3360
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        24⤵
        Executes dropped EXE
        
        PID:4356
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        24⤵
        
        PID:3624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        25⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        24⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1304513511.xml"
        25⤵
        
        PID:1724
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        24⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        25⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2368
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        26⤵
        Executes dropped EXE
        
        PID:1316
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        26⤵
        
        PID:3684
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        27⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4956
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        28⤵
        Executes dropped EXE
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        28⤵
        
        PID:2936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        29⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        28⤵
        
        PID:456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1454431782.xml"
        29⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        28⤵
        Executes dropped EXE
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        29⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2452
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        30⤵
        Executes dropped EXE
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        30⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        31⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1928
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        32⤵
        Executes dropped EXE
        
        PID:2940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        32⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        33⤵
        
        PID:764
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        32⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\63294197.xml"
        33⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        32⤵
        Executes dropped EXE
        
        PID:2156
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        33⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2328
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        34⤵
        Executes dropped EXE
        
        PID:1864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        34⤵
        
        PID:1564
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        35⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4732
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        36⤵
        Executes dropped EXE
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        36⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        37⤵
        
        PID:3340
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        36⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1522384041.xml"
        37⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        36⤵
        Executes dropped EXE
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        37⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4420
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        38⤵
        Executes dropped EXE
        
        PID:4644
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        38⤵
        
        PID:3464
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        39⤵
        
        PID:540
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        39⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4456
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        40⤵
        Executes dropped EXE
        
        PID:5020
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        40⤵
        
        PID:3304
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        41⤵
        
        PID:2108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        40⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\482618347.xml"
        41⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        40⤵
        Executes dropped EXE
        
        PID:4992
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        40⤵
        Executes dropped EXE
        
        PID:1884
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        41⤵
        Checks computer location settings
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:468
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        42⤵
        Executes dropped EXE
        
        PID:2408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        42⤵
        
        PID:4060
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        43⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        43⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:840
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        44⤵
        Executes dropped EXE
        
        PID:3016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        44⤵
        
        PID:388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        45⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        44⤵
        
        PID:3776
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        45⤵
        
        PID:1756
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\86802040.xml"
        45⤵
        
        PID:4676
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        44⤵
        Executes dropped EXE
        
        PID:4876
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        45⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:3636
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        46⤵
        Executes dropped EXE
        
        PID:4616
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        46⤵
        
        PID:2940
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        47⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1176
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        48⤵
        Executes dropped EXE
        
        PID:3368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        48⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        49⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        48⤵
        
        PID:1932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\154754299.xml"
        49⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:916
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        48⤵
        Executes dropped EXE
        
        PID:4952
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        49⤵
        Executes dropped EXE
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1936
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        50⤵
        Executes dropped EXE
        
        PID:2968
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        50⤵
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        51⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1420
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        52⤵
        
        PID:3608
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        52⤵
        
        PID:4660
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        53⤵
        
        PID:688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        52⤵
        
        PID:4520
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        53⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2025909247.xml"
        53⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5068
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        52⤵
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        52⤵
        
        PID:3304
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        53⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:5040
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        54⤵
        
        PID:3380
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        54⤵
        
        PID:700
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        55⤵
        
        PID:4180
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        55⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4604
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        56⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        56⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        57⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        56⤵
        
        PID:4256
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\178262142.xml"
        57⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        56⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        56⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        56⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        56⤵
        
        PID:2460
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        57⤵
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:2344
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        58⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        58⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        59⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4648
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        60⤵
        
        PID:3956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        60⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        61⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        60⤵
        
        PID:1448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1974542011.xml"
        61⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        60⤵
        
        PID:4984
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        61⤵
        Checks computer location settings
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        62⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        62⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        63⤵
        
        PID:1816
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        63⤵
        Suspicious use of SetThreadContext
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of AdjustPrivilegeToken
        
        PID:4088
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        64⤵
        
        PID:4436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        64⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        65⤵
        
        PID:4844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        64⤵
        
        PID:1348
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1848131583.xml"
        65⤵
        
        PID:3836
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        64⤵
        
        PID:4420
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        65⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1508
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        66⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        66⤵
        
        PID:4184
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        67⤵
        
        PID:388
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        67⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:5096
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        68⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        68⤵
        
        PID:1984
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        69⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        69⤵
        
        PID:4120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        68⤵
        
        PID:740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1908992909.xml"
        69⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        68⤵
        
        PID:316
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        68⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        69⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1544
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        70⤵
        
        PID:3004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        70⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        71⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1188
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        72⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        72⤵
        
        PID:3504
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        73⤵
        
        PID:3148
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        72⤵
        
        PID:2856
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\218355008.xml"
        73⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        72⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        73⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3560
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        74⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        74⤵
        
        PID:3936
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        75⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3464
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        76⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        76⤵
        
        PID:764
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        77⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        77⤵
        
        PID:388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        76⤵
        
        PID:704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1237016016.xml"
        77⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        76⤵
        
        PID:5104
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        77⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4184
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        78⤵
        
        PID:4068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        78⤵
        
        PID:4112
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        79⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1680
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        80⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        80⤵
        
        PID:2908
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        81⤵
        
        PID:916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        81⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        80⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\40409231.xml"
        81⤵
        
        PID:2672
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        80⤵
        
        PID:3368
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        81⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3376
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        82⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        82⤵
        
        PID:3328
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        83⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:2856
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        84⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        84⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        85⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3372
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1492408142.xml"
        85⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3972
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        84⤵
        System Location Discovery: System Language Discovery
        
        PID:3220
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        85⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4588
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        86⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        86⤵
        
        PID:4456
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        87⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1724
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        88⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        88⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        89⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        88⤵
        
        PID:3700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1253601039.xml"
        89⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4980
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        88⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        89⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:4400
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        90⤵
        
        PID:3388
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        90⤵
        
        PID:4532
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        91⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:1216
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        92⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        92⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        93⤵
        
        PID:4984
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        92⤵
        
        PID:3216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1860196943.xml"
        93⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4988
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        92⤵
        
        PID:1364
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        92⤵
        
        PID:3520
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        92⤵
        
        PID:3536
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        92⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        93⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1588
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        94⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        94⤵
        
        PID:4124
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        95⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4828
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        96⤵
        
        PID:4208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        96⤵
        
        PID:544
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        97⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        97⤵
        
        PID:312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        96⤵
        
        PID:4968
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\738465237.xml"
        97⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2496
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        96⤵
        
        PID:764
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        97⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4300
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        98⤵
        
        PID:5048
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        98⤵
        
        PID:2412
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        99⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:452
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        100⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        100⤵
        
        PID:3000
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        101⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        100⤵
        
        PID:2160
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\806417496.xml"
        101⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        100⤵
        
        PID:4736
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        100⤵
        
        PID:2912
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        101⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:4388
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        102⤵
        
        PID:3336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        102⤵
        
        PID:4416
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        103⤵
        
        PID:876
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        103⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:212
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        104⤵
        
        PID:900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        104⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        105⤵
        
        PID:2276
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        104⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\448122785.xml"
        105⤵
        
        PID:4872
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        104⤵
        
        PID:1316
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        105⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:700
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        106⤵
        
        PID:3580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        106⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        107⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4320
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        108⤵
        
        PID:740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        108⤵
        
        PID:4112
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        109⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        108⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1286602972.xml"
        109⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        108⤵
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        108⤵
        
        PID:2024
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        109⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:1076
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        110⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        110⤵
        
        PID:4604
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        111⤵
        
        PID:5108
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        111⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:4532
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        112⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        112⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        113⤵
        
        PID:4752
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        112⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\157780333.xml"
        113⤵
        
        PID:1668
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        112⤵
        
        PID:692
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        113⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1624
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        114⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        114⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        115⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:3520
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        116⤵
        
        PID:3880
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        116⤵
        
        PID:1936
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        117⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        117⤵
        
        PID:5052
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        116⤵
        
        PID:2736
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\150857513.xml"
        117⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        116⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        117⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:864
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        118⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        118⤵
        
        PID:3484
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        119⤵
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:808
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        120⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        120⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        121⤵
        
        PID:3384
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        120⤵
        
        PID:5108
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        121⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1289006129.xml"
        121⤵
        System Location Discovery: System Language Discovery
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        120⤵
        
        PID:3340
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        121⤵
        Suspicious use of AdjustPrivilegeToken
        
        PID:3244
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        122⤵
        
        PID:876
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        122⤵
        
        PID:5072
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        123⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        123⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        Suspicious use of AdjustPrivilegeToken
        
        PID:872
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        124⤵
        
        PID:1080
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        124⤵
        
        PID:1368
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        125⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        125⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        124⤵
        
        PID:1216
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\92399344.xml"
        125⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4656
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        124⤵
        
        PID:4672
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        125⤵
        Checks computer location settings
        Suspicious use of AdjustPrivilegeToken
        
        PID:1632
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        126⤵
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        126⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        127⤵
        Suspicious use of SetThreadContext
        
        PID:704
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        128⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        128⤵
        
        PID:3836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        129⤵
        
        PID:2096
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        128⤵
        
        PID:3484
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\811391923.xml"
        129⤵
        
        PID:4640
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        128⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        129⤵
        System Location Discovery: System Language Discovery
        
        PID:1068
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        130⤵
        
        PID:5104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        130⤵
        
        PID:3120
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        131⤵
        Suspicious use of SetThreadContext
        
        PID:748
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        132⤵
        
        PID:864
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        132⤵
        
        PID:1048
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        133⤵
        
        PID:3360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        132⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1530384502.xml"
        133⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        132⤵
        
        PID:4476
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        133⤵
        Checks computer location settings
        
        PID:5068
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        134⤵
        
        PID:2464
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        134⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        135⤵
        Suspicious use of SetThreadContext
        
        PID:4656
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        136⤵
        
        PID:1004
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        136⤵
        
        PID:668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        137⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        136⤵
        
        PID:5088
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1059693116.xml"
        137⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        136⤵
        
        PID:4148
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        137⤵
        
        PID:5112
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        138⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        138⤵
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        139⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:4120
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        140⤵
        
        PID:624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        140⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        141⤵
        
        PID:4620
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        140⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1127645375.xml"
        141⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4812
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        140⤵
        
        PID:1176
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        140⤵
        
        PID:4792
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        141⤵
        Checks computer location settings
        
        PID:5104
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        142⤵
        
        PID:792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        142⤵
        
        PID:3608
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        143⤵
        Suspicious use of SetThreadContext
        
        PID:3056
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        144⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        144⤵
        
        PID:3940
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        145⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        144⤵
        
        PID:456
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1001234947.xml"
        145⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        144⤵
        
        PID:2444
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        144⤵
        
        PID:3092
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        144⤵
        
        PID:3220
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        145⤵
        
        PID:2464
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        146⤵
        
        PID:3572
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        146⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        147⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:212
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        148⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        148⤵
        
        PID:4668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        149⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        148⤵
        
        PID:3936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1525864839.xml"
        149⤵
        
        PID:3016
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        148⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        149⤵
        
        PID:548
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        150⤵
        
        PID:3268
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        150⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        151⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:1404
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        152⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        152⤵
        
        PID:3240
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        153⤵
        
        PID:2372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        152⤵
        
        PID:2712
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1586726165.xml"
        153⤵
        
        PID:2100
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        152⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        152⤵
        
        PID:5084
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        153⤵
        
        PID:640
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        154⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        154⤵
        
        PID:224
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        155⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        155⤵
        Suspicious use of SetThreadContext
        
        PID:3308
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        156⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        156⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        157⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        156⤵
        
        PID:544
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\397210313.xml"
        157⤵
        
        PID:4088
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        156⤵
        
        PID:5052
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        157⤵
        
        PID:2396
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        158⤵
        
        PID:4832
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        158⤵
        
        PID:3756
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        159⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:1928
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        160⤵
        
        PID:4456
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        160⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        161⤵
        
        PID:2120
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        160⤵
        
        PID:4024
        
        C:\Windows\System32\Conhost.exe
        
        \??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        161⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1992036562.xml"
        161⤵
        
        PID:2856
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        160⤵
        
        PID:4620
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        161⤵
        
        PID:3824
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        162⤵
        
        PID:4976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        162⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        163⤵
        Suspicious use of SetThreadContext
        
        PID:4120
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        164⤵
        
        PID:548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        164⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        165⤵
        
        PID:5084
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        164⤵
        
        PID:1188
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\900735519.xml"
        165⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:64
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        164⤵
        
        PID:740
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        165⤵
        
        PID:2016
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        166⤵
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        166⤵
        
        PID:2604
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        167⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:4500
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        168⤵
        System Location Discovery: System Language Discovery
        
        PID:1816
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        168⤵
        
        PID:536
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        169⤵
        
        PID:3520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        168⤵
        
        PID:4580
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1851612381.xml"
        169⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        168⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        168⤵
        
        PID:2436
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        169⤵
        Checks computer location settings
        
        PID:4856
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        170⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        170⤵
        
        PID:4288
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        171⤵
        Suspicious use of SetThreadContext
        
        PID:5088
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        172⤵
        
        PID:860
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        172⤵
        
        PID:2872
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        173⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        172⤵
        
        PID:4168
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\423121313.xml"
        173⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        172⤵
        
        PID:2288
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        173⤵
        
        PID:2128
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        174⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        174⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        175⤵
        Suspicious use of SetThreadContext
        
        PID:3160
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        176⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        176⤵
        
        PID:3996
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        177⤵
        System Location Discovery: System Language Discovery
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        176⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1060147880.xml"
        177⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:4900
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        176⤵
        
        PID:224
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        176⤵
        
        PID:1076
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        177⤵
        
        PID:792
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        178⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        178⤵
        
        PID:3376
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        179⤵
        Suspicious use of SetThreadContext
        
        PID:1664
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        180⤵
        
        PID:3684
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        180⤵
        
        PID:1848
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        181⤵
        System Location Discovery: System Language Discovery
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        180⤵
        
        PID:952
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\207822053.xml"
        181⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2160
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        180⤵
        
        PID:2360
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        181⤵
        
        PID:3224
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        182⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        182⤵
        
        PID:964
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        183⤵
        Suspicious use of SetThreadContext
        
        PID:3268
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        184⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        184⤵
        System Location Discovery: System Language Discovery
        
        PID:60
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        185⤵
        
        PID:1420
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        184⤵
        
        PID:4792
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\388170987.xml"
        185⤵
        
        PID:2780
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        184⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        185⤵
        
        PID:1376
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        186⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        186⤵
        
        PID:748
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        187⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:4448
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        188⤵
        
        PID:4404
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        188⤵
        
        PID:1364
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        189⤵
        
        PID:796
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        188⤵
        
        PID:116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1758203886.xml"
        189⤵
        
        PID:3428
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        188⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        189⤵
        
        PID:1972
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        190⤵
        
        PID:4604
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        190⤵
        
        PID:1368
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        191⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:5072
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        192⤵
        
        PID:212
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        192⤵
        
        PID:668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        193⤵
        
        PID:640
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        192⤵
        
        PID:4640
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\22953456.xml"
        193⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4224
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        192⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        193⤵
        
        PID:2148
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        194⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        194⤵
        
        PID:860
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        195⤵
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        
        PID:3916
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        196⤵
        
        PID:4180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        196⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        197⤵
        
        PID:2448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        196⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1812142392.xml"
        197⤵
        
        PID:4724
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        196⤵
        
        PID:4184
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        196⤵
        
        PID:516
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        196⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        197⤵
        
        PID:5084
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        198⤵
        
        PID:3632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        198⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        199⤵
        Suspicious use of SetThreadContext
        
        PID:2868
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        200⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        200⤵
        
        PID:2604
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        201⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        200⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1917616247.xml"
        201⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        200⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        201⤵
        
        PID:1004
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        202⤵
        
        PID:4500
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        202⤵
        
        PID:3464
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        203⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:3684
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        204⤵
        System Location Discovery: System Language Discovery
        
        PID:1348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        204⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        205⤵
        
        PID:3132
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        204⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1985568506.xml"
        205⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:5072
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        204⤵
        
        PID:4668
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        204⤵
        
        PID:4484
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        205⤵
        
        PID:4376
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        206⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        206⤵
        
        PID:920
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        207⤵
        Suspicious use of SetThreadContext
        
        PID:3484
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        208⤵
        
        PID:64
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        208⤵
        
        PID:3016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        209⤵
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        208⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1934033157.xml"
        209⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:516
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        208⤵
        
        PID:4964
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        209⤵
        
        PID:3120
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        210⤵
        
        PID:1940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        210⤵
        
        PID:3216
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        211⤵
        Suspicious use of SetThreadContext
        
        PID:4060
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        212⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        212⤵
        
        PID:3776
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        213⤵
        
        PID:4348
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        212⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\86386052.xml"
        213⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3452
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        212⤵
        
        PID:3572
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        213⤵
        
        PID:3972
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        214⤵
        
        PID:4920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        214⤵
        
        PID:4388
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        215⤵
        Suspicious use of SetThreadContext
        
        PID:4716
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        216⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        216⤵
        
        PID:704
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        217⤵
        
        PID:1628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        216⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\341610065.xml"
        217⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        216⤵
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        217⤵
        
        PID:1928
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        218⤵
        
        PID:468
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        218⤵
        
        PID:2908
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        219⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:60
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        220⤵
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        220⤵
        
        PID:1668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        221⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        220⤵
        
        PID:4416
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\529049932.xml"
        221⤵
        
        PID:3644
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        220⤵
        
        PID:5048
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        221⤵
        
        PID:2024
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        222⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        222⤵
        
        PID:4848
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        223⤵
        Suspicious use of SetThreadContext
        
        PID:3504
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        224⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        224⤵
        System Location Discovery: System Language Discovery
        
        PID:2868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        225⤵
        
        PID:1172
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        224⤵
        
        PID:916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1667198548.xml"
        225⤵
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        224⤵
        
        PID:312
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        224⤵
        
        PID:2956
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        225⤵
        
        PID:2836
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        226⤵
        
        PID:4992
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        226⤵
        
        PID:3880
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        227⤵
        Suspicious use of SetThreadContext
        
        PID:4068
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        228⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        228⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        229⤵
        
        PID:4956
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        228⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\358195088.xml"
        229⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3320
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        228⤵
        
        PID:1408
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        228⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        229⤵
        Checks computer location settings
        
        PID:4872
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        230⤵
        
        PID:3652
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        230⤵
        
        PID:1860
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        231⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:900
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        232⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        232⤵
        
        PID:4376
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        233⤵
        
        PID:5040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        232⤵
        
        PID:4560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1196675275.xml"
        233⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        232⤵
        
        PID:1688
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        233⤵
        
        PID:4804
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        234⤵
        
        PID:2168
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        234⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        235⤵
        Suspicious use of SetThreadContext
        
        PID:4848
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        236⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        236⤵
        
        PID:1492
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        237⤵
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        236⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2102939608.xml"
        237⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        236⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        236⤵
        
        PID:4400
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        237⤵
        
        PID:3324
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        238⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        238⤵
        
        PID:1700
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        239⤵
        Suspicious use of SetThreadContext
        
        PID:3148
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        240⤵
        
        PID:4988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        240⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        241⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        240⤵
        
        PID:4728
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1983620113.xml"
        241⤵
        
        PID:4844
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        240⤵
        
        PID:4256
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        241⤵
        System Location Discovery: System Language Discovery
        
        PID:964
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        242⤵
        
        PID:4516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        242⤵
        
        PID:5088
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        243⤵
        Suspicious use of SetThreadContext
        
        PID:3260
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        244⤵
        
        PID:4836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        244⤵
        
        PID:1916
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        245⤵
        
        PID:4964
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        244⤵
        
        PID:4556
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1819688089.xml"
        245⤵
        
        PID:1032
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        244⤵
        
        PID:4868
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        245⤵
        
        PID:1688
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        246⤵
        
        PID:4900
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        246⤵
        
        PID:1648
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        247⤵
        Checks computer location settings
        Suspicious use of SetThreadContext
        
        PID:2140
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        248⤵
        
        PID:1360
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        248⤵
        
        PID:312
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        249⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        248⤵
        
        PID:2624
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2074912102.xml"
        249⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        248⤵
        
        PID:4292
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        249⤵
        Checks computer location settings
        
        PID:4244
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        250⤵
        
        PID:2988
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        250⤵
        
        PID:4920
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        251⤵
        System Location Discovery: System Language Discovery
        
        PID:3684
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        252⤵
        
        PID:1192
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        252⤵
        
        PID:1664
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        253⤵
        
        PID:2836
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        252⤵
        
        PID:1480
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\346752605.xml"
        253⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        252⤵
        
        PID:4832
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        253⤵
        
        PID:3384
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        254⤵
        
        PID:2336
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        254⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        255⤵
        
        PID:1912
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        256⤵
        
        PID:4184
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        256⤵
        System Location Discovery: System Language Discovery
        
        PID:636
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        257⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        256⤵
        
        PID:4528
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1253016938.xml"
        257⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        256⤵
        
        PID:868
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        257⤵
        
        PID:4120
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        258⤵
        
        PID:4100
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        258⤵
        
        PID:448
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        259⤵
        Checks computer location settings
        
        PID:4476
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        260⤵
        
        PID:5036
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        260⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        261⤵
        
        PID:4060
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        260⤵
        System Location Discovery: System Language Discovery
        
        PID:2368
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1979100450.xml"
        261⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        260⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        261⤵
        
        PID:3452
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        262⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        262⤵
        
        PID:952
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        263⤵
        System Location Discovery: System Language Discovery
        
        PID:3464
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        264⤵
        
        PID:4028
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        264⤵
        
        PID:2444
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        265⤵
        
        PID:4820
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        264⤵
        
        PID:668
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1927565101.xml"
        265⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:388
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        264⤵
        
        PID:4956
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        265⤵
        
        PID:4024
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        266⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        266⤵
        
        PID:4044
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        267⤵
        Checks computer location settings
        
        PID:4484
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        268⤵
        
        PID:3252
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        268⤵
        
        PID:1928
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        269⤵
        
        PID:4872
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        268⤵
        
        PID:2288
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\79917996.xml"
        269⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        268⤵
        
        PID:4468
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        268⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        269⤵
        
        PID:3712
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        270⤵
        
        PID:3428
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        270⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        271⤵
        
        PID:456
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        272⤵
        
        PID:4124
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        272⤵
        
        PID:1316
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        273⤵
        
        PID:700
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        272⤵
        
        PID:4960
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\447538684.xml"
        273⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        272⤵
        
        PID:2368
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        273⤵
        
        PID:4404
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        274⤵
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        274⤵
        
        PID:4972
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        275⤵
        Checks computer location settings
        
        PID:5092
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        276⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        276⤵
        
        PID:1800
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        277⤵
        
        PID:1972
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        276⤵
        
        PID:2016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1899537595.xml"
        277⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:232
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        276⤵
        
        PID:216
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        276⤵
        
        PID:5096
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        277⤵
        
        PID:4300
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        278⤵
        
        PID:3372
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        278⤵
        
        PID:2996
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        279⤵
        
        PID:4632
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        280⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        280⤵
        
        PID:1860
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        281⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        280⤵
        
        PID:4876
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\934815093.xml"
        281⤵
        
        PID:5112
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        280⤵
        
        PID:4940
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        281⤵
        
        PID:2448
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        282⤵
        
        PID:4724
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        282⤵
        
        PID:2584
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        283⤵
        
        PID:3380
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        284⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        284⤵
        
        PID:2408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        285⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        284⤵
        
        PID:3844
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\883279744.xml"
        285⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4740
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        284⤵
        
        PID:3272
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        285⤵
        Checks computer location settings
        
        PID:4672
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        286⤵
        
        PID:2368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        286⤵
        System Location Discovery: System Language Discovery
        
        PID:2664
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        287⤵
        Checks computer location settings
        
        PID:872
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        288⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        288⤵
        
        PID:2436
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        289⤵
        
        PID:4320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        288⤵
        
        PID:1408
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1909031685.xml"
        289⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:2372
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        288⤵
        
        PID:1628
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        289⤵
        
        PID:1680
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        290⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        290⤵
        
        PID:792
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        291⤵
        Checks computer location settings
        
        PID:1368
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        292⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        292⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        293⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        292⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1019184262.xml"
        293⤵
        
        PID:4556
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        292⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        293⤵
        
        PID:3624
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        294⤵
        
        PID:4940
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        294⤵
        
        PID:5116
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        295⤵
        
        PID:2124
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        296⤵
        
        PID:3208
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        296⤵
        
        PID:5080
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        297⤵
        System Location Discovery: System Language Discovery
        
        PID:4736
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        296⤵
        
        PID:2024
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\855252238.xml"
        297⤵
        
        PID:1940
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        296⤵
        
        PID:2776
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        297⤵
        
        PID:3376
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        298⤵
        System Location Discovery: System Language Discovery
        
        PID:4960
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        298⤵
        
        PID:4216
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        299⤵
        
        PID:2088
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        300⤵
        
        PID:2912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        300⤵
        
        PID:4388
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        301⤵
        
        PID:2156
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        300⤵
        
        PID:4512
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1274576388.xml"
        301⤵
        
        PID:1716
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        300⤵
        
        PID:4304
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        301⤵
        
        PID:3368
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        302⤵
        
        PID:1056
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        302⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        303⤵
        Checks computer location settings
        
        PID:2968
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        304⤵
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        304⤵
        
        PID:2460
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        305⤵
        
        PID:1012
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        304⤵
        
        PID:3932
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1642197076.xml"
        305⤵
        
        PID:3360
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        304⤵
        
        PID:4608
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        304⤵
        
        PID:1232
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        305⤵
        
        PID:5108
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        306⤵
        System Location Discovery: System Language Discovery
        
        PID:1368
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        306⤵
        
        PID:1512
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        307⤵
        
        PID:4180
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        308⤵
        
        PID:4024
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        308⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        309⤵
        
        PID:748
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        308⤵
        
        PID:1284
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1103721544.xml"
        309⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1492
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        308⤵
        
        PID:5008
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        308⤵
        
        PID:700
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        309⤵
        
        PID:3208
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        310⤵
        
        PID:448
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        310⤵
        
        PID:1576
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        311⤵
        Checks computer location settings
        
        PID:3216
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        312⤵
        
        PID:1412
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        312⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        313⤵
        
        PID:1688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        312⤵
        
        PID:4592
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1358945557.xml"
        313⤵
        
        PID:3580
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        312⤵
        
        PID:704
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        312⤵
        
        PID:1936
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        313⤵
        
        PID:2348
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        314⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        314⤵
        
        PID:2276
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        315⤵
        
        PID:3972
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        316⤵
        
        PID:5092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        316⤵
        
        PID:2396
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        317⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        316⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\349610526.xml"
        317⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        316⤵
        
        PID:1868
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        317⤵
        Checks computer location settings
        
        PID:2460
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        318⤵
        
        PID:1104
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        318⤵
        
        PID:4836
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        319⤵
        
        PID:4156
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        320⤵
        
        PID:4856
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        320⤵
        
        PID:3644
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        321⤵
        
        PID:3548
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        320⤵
        System Location Discovery: System Language Discovery
        
        PID:1808
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\230291031.xml"
        321⤵
        
        PID:4436
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        320⤵
        
        PID:548
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        320⤵
        
        PID:4572
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        321⤵
        
        PID:5116
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        322⤵
        
        PID:2544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        322⤵
        
        PID:3316
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        323⤵
        
        PID:2624
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        324⤵
        
        PID:692
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        324⤵
        
        PID:1576
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        325⤵
        
        PID:4540
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        324⤵
        
        PID:2700
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\417730898.xml"
        325⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        324⤵
        
        PID:1004
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        325⤵
        
        PID:2664
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        326⤵
        System Location Discovery: System Language Discovery
        
        PID:3216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        326⤵
        
        PID:1972
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        327⤵
        
        PID:4148
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        328⤵
        
        PID:4452
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        328⤵
        
        PID:4304
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        329⤵
        
        PID:4656
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        328⤵
        
        PID:5016
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1975035551.xml"
        329⤵
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        328⤵
        
        PID:3372
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        329⤵
        
        PID:3632
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        330⤵
        
        PID:1648
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        330⤵
        
        PID:3744
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        331⤵
        
        PID:1916
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        332⤵
        
        PID:1232
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        332⤵
        
        PID:2360
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        333⤵
        
        PID:3688
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        332⤵
        
        PID:748
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\666032091.xml"
        333⤵
        
        PID:3776
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        332⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        333⤵
        
        PID:3428
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        334⤵
        
        PID:3128
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        334⤵
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        335⤵
        Checks computer location settings
        
        PID:5080
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        336⤵
        
        PID:1920
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        336⤵
        
        PID:4732
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        337⤵
        
        PID:1544
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        336⤵
        
        PID:2868
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1691784032.xml"
        337⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:456
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        336⤵
        
        PID:4396
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        336⤵
        
        PID:1720
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        336⤵
        System Location Discovery: System Language Discovery
        
        PID:4820
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        337⤵
        
        PID:796
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        338⤵
        
        PID:5116
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        338⤵
        
        PID:2624
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        339⤵
        
        PID:4828
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        340⤵
        
        PID:3376
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        340⤵
        
        PID:2020
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        341⤵
        
        PID:3320
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        340⤵
        
        PID:4428
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1759736291.xml"
        341⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4312
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        340⤵
        
        PID:4028
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        341⤵
        
        PID:4304
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        342⤵
        
        PID:3712
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        342⤵
        
        PID:3308
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        343⤵
        Checks computer location settings
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        344⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        344⤵
        
        PID:4044
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        345⤵
        System Location Discovery: System Language Discovery
        
        PID:4424
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        344⤵
        
        PID:5032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\944763947.xml"
        345⤵
        System Location Discovery: System Language Discovery
        Scheduled Task/Job: Scheduled Task
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        344⤵
        
        PID:3964
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        345⤵
        
        PID:1304
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        346⤵
        
        PID:216
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        346⤵
        
        PID:636
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        347⤵
        
        PID:3024
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        348⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        348⤵
        
        PID:2164
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        349⤵
        
        PID:2780
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        348⤵
        
        PID:2908
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\825444452.xml"
        349⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        348⤵
        
        PID:452
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        349⤵
        
        PID:2304
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        350⤵
        
        PID:1720
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        350⤵
        
        PID:3004
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        351⤵
        
        PID:2108
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        352⤵
        
        PID:4564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        352⤵
        System Location Discovery: System Language Discovery
        
        PID:4992
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        353⤵
        
        PID:1068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        352⤵
        
        PID:1032
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\961180857.xml"
        353⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3228
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        352⤵
        
        PID:4996
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        352⤵
        
        PID:2172
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        353⤵
        
        PID:4164
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        354⤵
        
        PID:4672
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        354⤵
        
        PID:4728
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        355⤵
        
        PID:792
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        356⤵
        
        PID:5068
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        356⤵
        System Location Discovery: System Language Discovery
        
        PID:4068
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        357⤵
        
        PID:1564
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        356⤵
        
        PID:4716
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1680173436.xml"
        357⤵
        
        PID:2096
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        356⤵
        
        PID:5032
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        357⤵
        
        PID:4376
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        358⤵
        
        PID:4952
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        358⤵
        
        PID:3632
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        359⤵
        Checks computer location settings
        
        PID:116
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        360⤵
        
        PID:5008
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        360⤵
        
        PID:4448
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        361⤵
        
        PID:2628
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        360⤵
        
        PID:1220
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\483566651.xml"
        361⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3476
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        360⤵
        
        PID:3224
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        360⤵
        
        PID:1924
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        361⤵
        
        PID:2496
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        362⤵
        
        PID:2980
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        362⤵
        
        PID:3156
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        363⤵
        
        PID:1940
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        364⤵
        
        PID:1936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        364⤵
        
        PID:3560
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        365⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        364⤵
        
        PID:1752
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1741202875.xml"
        365⤵
        
        PID:3504
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        364⤵
        
        PID:2700
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        365⤵
        Checks computer location settings
        
        PID:1576
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        366⤵
        
        PID:3092
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        366⤵
        
        PID:4616
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        367⤵
        
        PID:4668
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        368⤵
        
        PID:516
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        368⤵
        
        PID:3328
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        369⤵
        
        PID:4908
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        368⤵
        
        PID:1976
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1270511489.xml"
        369⤵
        
        PID:1036
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        368⤵
        
        PID:4716
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        369⤵
        
        PID:4848
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        370⤵
        
        PID:4812
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        370⤵
        
        PID:3012
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        371⤵
        Checks computer location settings
        
        PID:1632
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        372⤵
        
        PID:1496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        372⤵
        
        PID:836
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        373⤵
        
        PID:4740
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        372⤵
        
        PID:3476
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1802232314.xml"
        373⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:4448
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        372⤵
        
        PID:2408
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        373⤵
        Checks computer location settings
        
        PID:4184
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        374⤵
        
        PID:2776
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        374⤵
        
        PID:2988
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        375⤵
        
        PID:3344
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        376⤵
        
        PID:2488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        376⤵
        
        PID:4884
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        377⤵
        
        PID:1040
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        376⤵
        
        PID:1816
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\680500608.xml"
        377⤵
        Scheduled Task/Job: Scheduled Task
        
        PID:3700
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        376⤵
        
        PID:2836
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        377⤵
        
        PID:1068
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        378⤵
        System Location Discovery: System Language Discovery
        
        PID:4792
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        378⤵
        
        PID:4976
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        379⤵
        
        PID:4660
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        380⤵
        
        PID:4944
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        380⤵
        
        PID:4088
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        381⤵
        System Location Discovery: System Language Discovery
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        380⤵
        
        PID:64
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\2125408586.xml"
        381⤵
        
        PID:4452
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        380⤵
        
        PID:4788
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        381⤵
        
        PID:4556
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        382⤵
        
        PID:4308
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        382⤵
        
        PID:4068
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        383⤵
        
        PID:1368
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        384⤵
        System Location Discovery: System Language Discovery
        
        PID:1488
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        384⤵
        
        PID:3012
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        385⤵
        
        PID:1912
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        384⤵
        
        PID:4244
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Create /TN "Update\Update" /XML "C:\Users\Admin\AppData\Local\Temp\1961476562.xml"
        385⤵
        
        PID:3252
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe "
        384⤵
        
        PID:1392
        
        C:\Users\Admin\AppData\Roaming\Install\Host.exe
        
        "C:\Users\Admin\AppData\Roaming\Install\Host.exe"
        385⤵
        Checks computer location settings
        
        PID:1304
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        386⤵
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        386⤵
        
        PID:1544
        
        C:\Users\Admin\AppData\Roaming\App.exe
        
        "C:\Users\Admin\AppData\Roaming\App.exe"
        387⤵
        Checks computer location settings
        
        PID:1412
        
        C:\ProgramData\coded.exe
        
        "C:\ProgramData\coded.exe"
        388⤵
        
        PID:180
        
        C:\Windows\SysWOW64\cmd.exe
        
        "cmd"
        388⤵
        
        PID:4396
        
        C:\Windows\SysWOW64\schtasks.exe
        
        schtasks.exe /Delete /TN "Update\Update" /F
        389⤵
        
        PID:1624

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
1⤵
PID:456

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
PID:1884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Email Collection

1

T1114

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\coded.exe

Filesize
413KB

MD5
6f4527c944a09f03e5305f5703289da2

SHA1
08c05780d832707e88b3b37290d80f3d00e74157

SHA256
2070b034b0fad170c6d7b07f0ea417bd975cc97a74269cdebff9fb17b0843326

SHA512
d61aa7d56ee8989c86c201461cf6729efb87ca84cc1d31ea2928f50229ab621df0d7e0d21b14ef9a97185c7a225b9dccb983a3a72c035cee58c11e41740a0f2b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v2.0_32\UsageLogs\coded.exe.log

Filesize
774B

MD5
049b2c7e274ebb68f3ada1961c982a22

SHA1
796b9f03c8cd94617ea26aaf861af9fb2a5731db

SHA256
5c69c41dceda1bb32d4054d6b483bb3e3af84c8cf0a6191c79068168a1d506b3

SHA512
fb2ee642e1401772d514e86b0b8dd117659335066242e85c158b40e8912572f2bd7b9a0f63f9b9f4d7a2e051579345215f6b1f147881f3d1e78f335c45d78ebf

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\App.exe.log

Filesize
418B

MD5
2f51ee33b74ab710e289b65a7b580c9b

SHA1
031f919473e89c4a463360c7a898fda986836470

SHA256
bdb480893a7d1acc95b67f49dd12a0c1f69b75d1908536d0cc1350ebfbb5cc58

SHA512
927bd82da2cc751b6b2c97efc33019b8977f2d78d467b363cf609e27a3ac8986e0b4c3b4d025be9fe87f50db51285b115b97ae7d0ae642daae2910d44ad9ec5a

Download Submit
C:\Users\Admin\AppData\Local\Temp\74904793.xml

Filesize
1KB

MD5
6a65257cf4513585ac0d3d2fe3f0f012

SHA1
99b38d197c60075e5311944c04c2d45197a63e55

SHA256
782ea635c06ed294a4cef4d7840ba860a08aa459bbdd396926aef94cc08c57eb

SHA512
dbdbcc84ea170a88ba2a320c72f05009421c61f0104307bc3a012f32f9e2b14a5eb62b3cb9d897ae2d0d7b38cdfc065038675d0882d3b2614dfbdc21a9c76ea1

Download Submit
C:\Users\Admin\AppData\Local\Temp\SysInfo.txt

Filesize
24B

MD5
717d227537a0be6a697f3badec5895c8

SHA1
8df80636d0a80d54ac950df4eae550c12bcfd82f

SHA256
0b4d17c6136ea4248f345cd61e0cb19908ee1a519959385151cc10043f7957d1

SHA512
5ae0a10530bb7dc828eb41ef8e50974426fb5fb2af9112804d15b8f31b0941579b934dbac5ebce01aeaacc48dbcac4378cd1d865c47ecbdf34631e6cb86fc73e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Update.txt

Filesize
48B

MD5
d7fe3f3fd6d7fc891a51fb1ef6014e0e

SHA1
70513c15819eb9ee9a78184717e82fb35827a019

SHA256
542fb9c0cad223be6decd0ed02789288029cf793d60bce350df537fadfd53358

SHA512
f44035ea6da2f26552e47be1b5eb667ead26bf15b74012e1b7943d71c55e358846fe176bfdfa56a266411457ba11e0f25fc4381eef49d80dc21dc52fc8aab50d

Download Submit
C:\Users\Admin\AppData\Roaming\App.exe

Filesize
705KB

MD5
c515a556d7cc1fb7a476fb0fb1aadaaa

SHA1
c5690d2abee36e06c2c40dceba693bc7eeeda7be

SHA256
4ba67a000526a4abcf098ab1671fae28996f0db56a67bdeb36d2ef653e34c35b

SHA512
ceb6047816345ad1767698982d448d48accc1e9b22f0fb7ca9c9233444523531b9ef672041dc73ce6a6b6f22fd7263ca882d6fb19288d0dd726cb7c0eb94a1a2

Download Submit
memory/224-4-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/224-6-0x00000000053E0000-0x0000000005478000-memory.dmp

Filesize
608KB

Download
memory/224-1-0x0000000000330000-0x00000000003E6000-memory.dmp

Filesize
728KB

Download
memory/224-5-0x00000000050F0000-0x000000000516A000-memory.dmp

Filesize
488KB

Download
memory/224-27-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/224-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/224-2-0x0000000005560000-0x0000000005B04000-memory.dmp

Filesize
5.6MB

Download
memory/224-3-0x0000000005050000-0x00000000050EC000-memory.dmp

Filesize
624KB

Download
memory/544-23-0x00000000713D0000-0x0000000071981000-memory.dmp

Filesize
5.7MB

Download
memory/544-47-0x00000000713D0000-0x0000000071981000-memory.dmp

Filesize
5.7MB

Download
memory/544-19-0x00000000713D2000-0x00000000713D3000-memory.dmp

Filesize
4KB

Download
memory/544-20-0x00000000713D0000-0x0000000071981000-memory.dmp

Filesize
5.7MB

Download
memory/764-96-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/764-95-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/1452-248-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1452-247-0x0000000000420000-0x00000000004E9000-memory.dmp

Filesize
804KB

Download
memory/1452-245-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/1452-246-0x0000000000400000-0x000000000041C000-memory.dmp

Filesize
112KB

Download
memory/2936-55-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2936-28-0x0000000074C40000-0x00000000753F0000-memory.dmp

Filesize
7.7MB

Download
memory/2936-26-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/4060-52-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4060-50-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4060-48-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4420-526-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4420-525-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4536-136-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4536-137-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4756-519-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4756-520-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4756-532-0x0000000000400000-0x0000000000457000-memory.dmp

Filesize
348KB

Download
memory/4876-386-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/4876-385-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5004-3037-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download
memory/5004-3031-0x0000000000400000-0x0000000000423000-memory.dmp

Filesize
140KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Extracted

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads