Analysis
-
max time kernel
149s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20220718-en -
resource tags
arch:x64arch:x86image:win7-20220718-enlocale:en-usos:windows7-x64system -
submitted
20-07-2022 12:47
Static task
static1
Behavioral task
behavioral1
Sample
RFQ#-SWMKA-07101.js
Resource
win7-20220718-en
General
-
Target
RFQ#-SWMKA-07101.js
-
Size
891KB
-
MD5
fecd15e5dbf479eb20796e50555acd67
-
SHA1
71f419889ef0b86b04b752cf9ad59b46253c3bf5
-
SHA256
4e1931a0ea86afa05c45d032854ecb675aedf8481540e7ca14141b955d0c30e9
-
SHA512
18360f56243bb5393dd7cf9786e96f9cb5bff0983228ac3c721c1d46821304c46908fbf4c70a172165d85fc6d31917db5c7c37777958b8f671a53fb4e9a86554
Malware Config
Signatures
-
Processes:
taskkill.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" taskkill.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" taskkill.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" taskkill.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" taskkill.exe -
Disables Task Manager via registry modification
-
Disables use of System Restore points 1 TTPs
-
Sets file execution options in registry 2 TTPs 64 IoCs
Processes:
taskkill.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilUp.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanpro.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMSvc.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareService.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSecurity.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvoy.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCore64.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavSvc.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavTray.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7RTScan.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nprosec.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScSecSvc.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSvcHost.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWin.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcsvc.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvc.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavwp.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avpmapp.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONLINENT.EXE\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BgScan.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANWSCS.EXE taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldDS.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDFSSvc.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDTray.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dragon_updater.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDSC.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanoav.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7PSSrvc.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWin.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcome.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\filwscc.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twssrv.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavWebClient.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmon.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\njeeves2.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAMain.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServiceShell.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanmon.exe taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe\debugger = "svchost.exe" taskkill.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDKBFltExe32.exe\debugger = "svchost.exe" taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvc.exe taskkill.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERDelete.exe taskkill.exe -
Drops file in System32 directory 1 IoCs
Processes:
javaw.exedescription ioc Process File created C:\Windows\System32\test.txt javaw.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Kills process with taskkill 52 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exepid Process 1240 taskkill.exe 784 taskkill.exe 1112 taskkill.exe 1996 taskkill.exe 2024 taskkill.exe 1196 taskkill.exe 2032 taskkill.exe 1588 taskkill.exe 1812 taskkill.exe 1172 taskkill.exe 1504 taskkill.exe 2016 taskkill.exe 288 taskkill.exe 1248 taskkill.exe 1976 taskkill.exe 1252 taskkill.exe 1880 taskkill.exe 1460 taskkill.exe 1212 taskkill.exe 1676 taskkill.exe 1500 taskkill.exe 1104 taskkill.exe 620 taskkill.exe 832 taskkill.exe 1612 taskkill.exe 1960 taskkill.exe 1396 taskkill.exe 1156 taskkill.exe 1252 taskkill.exe 1872 taskkill.exe 2044 taskkill.exe 1968 taskkill.exe 1436 taskkill.exe 1196 taskkill.exe 1020 taskkill.exe 1572 taskkill.exe 2016 taskkill.exe 1572 taskkill.exe 548 taskkill.exe 588 taskkill.exe 2012 taskkill.exe 1944 taskkill.exe 1584 taskkill.exe 964 taskkill.exe 1156 taskkill.exe 2024 taskkill.exe 1608 taskkill.exe 1812 taskkill.exe 2032 taskkill.exe 1020 taskkill.exe 344 taskkill.exe 1880 taskkill.exe -
Runs .reg file with regedit 1 IoCs
Processes:
regedit.exepid Process 1812 regedit.exe -
Suspicious use of AdjustPrivilegeToken 52 IoCs
Processes:
taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exedescription pid Process Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 1996 taskkill.exe Token: SeDebugPrivilege 1172 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 1608 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 1252 taskkill.exe Token: SeDebugPrivilege 548 taskkill.exe Token: SeDebugPrivilege 588 taskkill.exe Token: SeDebugPrivilege 1504 taskkill.exe Token: SeDebugPrivilege 1020 taskkill.exe Token: SeDebugPrivilege 1872 taskkill.exe Token: SeDebugPrivilege 2044 taskkill.exe Token: SeDebugPrivilege 1212 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 1572 taskkill.exe Token: SeDebugPrivilege 1676 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 2012 taskkill.exe Token: SeDebugPrivilege 288 taskkill.exe Token: SeDebugPrivilege 1248 taskkill.exe Token: SeDebugPrivilege 1240 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 1500 taskkill.exe Token: SeDebugPrivilege 1976 taskkill.exe Token: SeDebugPrivilege 1104 taskkill.exe Token: SeDebugPrivilege 1944 taskkill.exe Token: SeDebugPrivilege 1252 taskkill.exe Token: SeDebugPrivilege 620 taskkill.exe Token: SeDebugPrivilege 1968 taskkill.exe Token: SeDebugPrivilege 2016 taskkill.exe Token: SeDebugPrivilege 2032 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 1584 taskkill.exe Token: SeDebugPrivilege 964 taskkill.exe Token: SeDebugPrivilege 832 taskkill.exe Token: SeDebugPrivilege 1588 taskkill.exe Token: SeDebugPrivilege 784 taskkill.exe Token: SeDebugPrivilege 1020 taskkill.exe Token: SeDebugPrivilege 1612 taskkill.exe Token: SeDebugPrivilege 1960 taskkill.exe Token: SeDebugPrivilege 1812 taskkill.exe Token: SeDebugPrivilege 1156 taskkill.exe Token: SeDebugPrivilege 344 taskkill.exe Token: SeDebugPrivilege 1880 taskkill.exe Token: SeDebugPrivilege 1460 taskkill.exe Token: SeDebugPrivilege 1436 taskkill.exe Token: SeDebugPrivilege 1196 taskkill.exe Token: SeDebugPrivilege 1112 taskkill.exe Token: SeDebugPrivilege 1396 taskkill.exe Token: SeDebugPrivilege 2024 taskkill.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
javaw.exejava.exepid Process 1728 javaw.exe 1332 java.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
wscript.exejavaw.exejava.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 1968 wrote to memory of 1184 1968 wscript.exe 28 PID 1968 wrote to memory of 1184 1968 wscript.exe 28 PID 1968 wrote to memory of 1184 1968 wscript.exe 28 PID 1968 wrote to memory of 1728 1968 wscript.exe 29 PID 1968 wrote to memory of 1728 1968 wscript.exe 29 PID 1968 wrote to memory of 1728 1968 wscript.exe 29 PID 1728 wrote to memory of 1332 1728 javaw.exe 30 PID 1728 wrote to memory of 1332 1728 javaw.exe 30 PID 1728 wrote to memory of 1332 1728 javaw.exe 30 PID 1728 wrote to memory of 1204 1728 javaw.exe 33 PID 1728 wrote to memory of 1204 1728 javaw.exe 33 PID 1728 wrote to memory of 1204 1728 javaw.exe 33 PID 1332 wrote to memory of 1336 1332 java.exe 32 PID 1332 wrote to memory of 1336 1332 java.exe 32 PID 1332 wrote to memory of 1336 1332 java.exe 32 PID 1336 wrote to memory of 1804 1336 cmd.exe 37 PID 1336 wrote to memory of 1804 1336 cmd.exe 37 PID 1336 wrote to memory of 1804 1336 cmd.exe 37 PID 1204 wrote to memory of 1972 1204 cmd.exe 36 PID 1204 wrote to memory of 1972 1204 cmd.exe 36 PID 1204 wrote to memory of 1972 1204 cmd.exe 36 PID 1728 wrote to memory of 1640 1728 javaw.exe 47 PID 1728 wrote to memory of 1640 1728 javaw.exe 47 PID 1728 wrote to memory of 1640 1728 javaw.exe 47 PID 1332 wrote to memory of 1552 1332 java.exe 38 PID 1332 wrote to memory of 1552 1332 java.exe 38 PID 1332 wrote to memory of 1552 1332 java.exe 38 PID 1640 wrote to memory of 832 1640 cmd.exe 46 PID 1640 wrote to memory of 832 1640 cmd.exe 46 PID 1640 wrote to memory of 832 1640 cmd.exe 46 PID 1728 wrote to memory of 1240 1728 javaw.exe 41 PID 1332 wrote to memory of 980 1332 java.exe 44 PID 1332 wrote to memory of 980 1332 java.exe 44 PID 1332 wrote to memory of 980 1332 java.exe 44 PID 1728 wrote to memory of 1240 1728 javaw.exe 41 PID 1728 wrote to memory of 1240 1728 javaw.exe 41 PID 1728 wrote to memory of 1396 1728 javaw.exe 48 PID 1728 wrote to memory of 1396 1728 javaw.exe 48 PID 1728 wrote to memory of 1396 1728 javaw.exe 48 PID 1728 wrote to memory of 1156 1728 javaw.exe 50 PID 1728 wrote to memory of 1156 1728 javaw.exe 50 PID 1728 wrote to memory of 1156 1728 javaw.exe 50 PID 1728 wrote to memory of 1196 1728 javaw.exe 53 PID 1728 wrote to memory of 1196 1728 javaw.exe 53 PID 1728 wrote to memory of 1196 1728 javaw.exe 53 PID 1196 wrote to memory of 1812 1196 cmd.exe 66 PID 1196 wrote to memory of 1812 1196 cmd.exe 66 PID 1196 wrote to memory of 1812 1196 cmd.exe 66 PID 1728 wrote to memory of 1996 1728 javaw.exe 57 PID 1728 wrote to memory of 1996 1728 javaw.exe 57 PID 1728 wrote to memory of 1996 1728 javaw.exe 57 PID 1728 wrote to memory of 1172 1728 javaw.exe 59 PID 1728 wrote to memory of 1172 1728 javaw.exe 59 PID 1728 wrote to memory of 1172 1728 javaw.exe 59 PID 1728 wrote to memory of 2024 1728 javaw.exe 61 PID 1728 wrote to memory of 2024 1728 javaw.exe 61 PID 1728 wrote to memory of 2024 1728 javaw.exe 61 PID 1728 wrote to memory of 1572 1728 javaw.exe 63 PID 1728 wrote to memory of 1572 1728 javaw.exe 63 PID 1728 wrote to memory of 1572 1728 javaw.exe 63 PID 1728 wrote to memory of 1608 1728 javaw.exe 65 PID 1728 wrote to memory of 1608 1728 javaw.exe 65 PID 1728 wrote to memory of 1608 1728 javaw.exe 65 PID 1728 wrote to memory of 1812 1728 javaw.exe 66
Processes
-
C:\Windows\system32\wscript.exewscript.exe C:\Users\Admin\AppData\Local\Temp\RFQ#-SWMKA-07101.js1⤵
- Suspicious use of WriteProcessMemory
PID:1968 -
C:\Windows\System32\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\yIwUYjpjEe.js"2⤵PID:1184
-
-
C:\Program Files\Java\jre7\bin\javaw.exe"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\ersjlaioj.txt"2⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Program Files\Java\jre7\bin\java.exe"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.93530287933474865600583059654695868.class3⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1332 -
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6436301026464773531.vbs4⤵
- Suspicious use of WriteProcessMemory
PID:1336 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6436301026464773531.vbs5⤵PID:1804
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1399648570181511495.vbs4⤵PID:1552
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1399648570181511495.vbs5⤵PID:836
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e4⤵PID:980
-
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive836886510530314967.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive836886510530314967.vbs4⤵PID:1972
-
-
-
C:\Windows\system32\xcopy.exexcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e3⤵PID:1240
-
-
C:\Windows\system32\cmd.execmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2010467260100963175.vbs3⤵
- Suspicious use of WriteProcessMemory
PID:1640
-
-
C:\Windows\system32\cmd.execmd.exe3⤵PID:1396
-
-
C:\Windows\system32\taskkill.exetaskkill /IM UserAccountControlSettings.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\system32\cmd.execmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\ZjeQKPQcps4321640455782759454.reg3⤵
- Suspicious use of WriteProcessMemory
PID:1196 -
C:\Windows\regedit.exeregedit.exe /s C:\Users\Admin\AppData\Local\Temp\ZjeQKPQcps4321640455782759454.reg4⤵
- Runs .reg file with regedit
PID:1812
-
-
-
C:\Windows\system32\taskkill.exetaskkill /IM Taskmgr.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1996
-
-
C:\Windows\system32\taskkill.exetaskkill /IM ProcessHacker.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1172
-
-
C:\Windows\system32\taskkill.exetaskkill /IM procexp.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MSASCui.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MsMpEng.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1608
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MpUXSrv.exe /T /F3⤵
- UAC bypass
- Sets file execution options in registry
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MpCmdRun.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\system32\taskkill.exetaskkill /IM NisSrv.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:548
-
-
C:\Windows\system32\taskkill.exetaskkill /IM ConfigSecurityPolicy.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:588
-
-
C:\Windows\system32\taskkill.exetaskkill /IM procexp.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1504
-
-
C:\Windows\system32\taskkill.exetaskkill /IM wireshark.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\system32\taskkill.exetaskkill /IM tshark.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1872
-
-
C:\Windows\system32\taskkill.exetaskkill /IM text2pcap.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2044
-
-
C:\Windows\system32\taskkill.exetaskkill /IM rawshark.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1212
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mergecap.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\system32\taskkill.exetaskkill /IM editcap.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1572
-
-
C:\Windows\system32\taskkill.exetaskkill /IM dumpcap.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1676
-
-
C:\Windows\system32\taskkill.exetaskkill /IM capinfos.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mbam.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2012
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mbamscheduler.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:288
-
-
C:\Windows\system32\taskkill.exetaskkill /IM mbamservice.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1248
-
-
C:\Windows\system32\taskkill.exetaskkill /IM AdAwareService.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1240
-
-
C:\Windows\system32\taskkill.exetaskkill /IM AdAwareTray.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\system32\taskkill.exetaskkill /IM WebCompanion.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1500
-
-
C:\Windows\system32\taskkill.exetaskkill /IM AdAwareDesktop.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1976
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Main.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1104
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Svc.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1944
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Up.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1252
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3SP.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:620
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Proxy.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\system32\taskkill.exetaskkill /IM V3Medic.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2016
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BgScan.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2032
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BullGuard.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BullGuardBhvScanner.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1584
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BullGuarScanner.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\system32\taskkill.exetaskkill /IM LittleHook.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:832
-
-
C:\Windows\system32\taskkill.exetaskkill /IM BullGuardUpdate.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1588
-
-
C:\Windows\system32\taskkill.exetaskkill /IM clamscan.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:784
-
-
C:\Windows\system32\taskkill.exetaskkill /IM ClamTray.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1020
-
-
C:\Windows\system32\taskkill.exetaskkill /IM ClamWin.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cis.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1960
-
-
C:\Windows\system32\taskkill.exetaskkill /IM CisTray.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1812
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cmdagent.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1156
-
-
C:\Windows\system32\taskkill.exetaskkill /IM cavwp.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:344
-
-
C:\Windows\system32\taskkill.exetaskkill /IM dragon_updater.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1880
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MWAGENT.EXE /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1460
-
-
C:\Windows\system32\taskkill.exetaskkill /IM MWASER.EXE /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1436
-
-
C:\Windows\system32\taskkill.exetaskkill /IM CONSCTLX.EXE /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1196
-
-
C:\Windows\system32\taskkill.exetaskkill /IM avpmapp.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1112
-
-
C:\Windows\system32\taskkill.exetaskkill /IM econceal.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1396
-
-
C:\Windows\system32\taskkill.exetaskkill /IM escanmon.exe /T /F3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:2024
-
-
-
C:\Windows\system32\cscript.execscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2010467260100963175.vbs1⤵PID:832
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
281B
MD5a32c109297ed1ca155598cd295c26611
SHA1dc4a1fdbaad15ddd6fe22d3907c6b03727b71510
SHA25645bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7
SHA51270372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
276B
MD53bdfd33017806b85949b6faa7d4b98e4
SHA1f92844fee69ef98db6e68931adfaa9a0a0f8ce66
SHA2569da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6
SHA512ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429
-
Filesize
27KB
MD57f97f5f336944d427c03cc730c636b8f
SHA18a50c72b4580c20d4a7bfc7af8f12671bf6715ae
SHA2569613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57
SHA5128f8b5dc16f087bdc73a134b76fd1063765e3c049baca4873d1b9eb30ba59f418395490cafc78a93b1cdcc20461e73c96de34475669715d6ddb93d0b56e6e6c54
-
Filesize
241KB
MD5781fb531354d6f291f1ccab48da6d39f
SHA19ce4518ebcb5be6d1f0b5477fa00c26860fe9a68
SHA25697d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9
SHA5123e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8
-
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3762437355-3468409815-1164039494-1000\83aa4cc77f591dfc2374580bbd95f6ba_327f7753-eed3-43ec-871a-c7bcf65868ec
Filesize45B
MD5c8366ae350e7019aefc9d1e6e6a498c6
SHA15731d8a3e6568a5f2dfbbc87e3db9637df280b61
SHA25611e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238
SHA51233c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd
-
Filesize
479KB
MD54d9a717a9d3bb25ed5fd107ec7795e3a
SHA1341ff4f74c807650c0a81ca0c2711caceddbed44
SHA256d4532757afd5774d841e830196ce2d5812f3443785f693d57e5c5d7d4ca3288a
SHA512ca6445a628a057895bd62028a2353a12b008e28b6bcf11d4277ffb18a51c5282bdd74864eb4412512387282dd43b2f5b915f4ec0df8e3f74ba2fab3905a197ce
-
Filesize
857B
MD5a3bec43c6c97fe9cee29df6c15d53244
SHA1e8d7a0e03e2fdc090739a72d30874b6250a78f4a
SHA2567610035671988a2c0373477fd62e6d558a2fbe81e98f3c8f22bc3820731deb76
SHA51283f36cebf942af5349d8c233e05e49259b0c2de891f843816eb60ab225f1ad3bba84d3b6f4e584777e6de1ff9bb0e03669fdaea2581125aa193e4a448d1761ab