adwind | 7cdffb3bc46c9b767d6ab1c999b94faafbab963b3c8e70fa0e94c5c4cba41e55

Analysis

max time kernel
293s
max time network
300s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
07/09/2022, 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

PO-090-TCG-SG.jar
Size

625KB
MD5

b326ba49794d3e9be44860de3b6e3cd3
SHA1

1d80eadb8228ef5a3862240bab8a780b7bbff098
SHA256

7cdffb3bc46c9b767d6ab1c999b94faafbab963b3c8e70fa0e94c5c4cba41e55
SHA512

4c5799f7839cf5805e25e6b6823dbf778c6074d427c6432593dfdcc6cd5b14453424d0fe7b7674ecd81b14daefa8b7d3651821ee92b35df9ed0aa613ec44d9cc
SSDEEP

12288:9SkyuK/y8DJPaOdrhyCLqZAksHMZM2H5jKTW9yhTrPC7i5vFJ:2Zy8tPhrhViesZMcjZ9yhTrPSivJ

Score

10^/10

adwind vjw0rm evasion persistence trojan worm

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Vjw0rm
Vjw0rm is a remote access trojan written in JavaScript.
trojan worm vjw0rm

Blocklisted process makes network request 28 IoCs

flow	pid	Process
18	4812	WScript.exe
26	4812	WScript.exe
38	4812	WScript.exe
44	4812	WScript.exe
46	4812	WScript.exe
50	4812	WScript.exe
51	4812	WScript.exe
55	4812	WScript.exe
56	4812	WScript.exe
58	4812	WScript.exe
64	4812	WScript.exe
72	4812	WScript.exe
75	4812	WScript.exe
76	4812	WScript.exe
78	4812	WScript.exe
79	4812	WScript.exe
80	4812	WScript.exe
82	4812	WScript.exe
83	4812	WScript.exe
85	4812	WScript.exe
86	4812	WScript.exe
89	4812	WScript.exe
90	4812	WScript.exe
91	4812	WScript.exe
96	4812	WScript.exe
97	4812	WScript.exe
99	4812	WScript.exe
100	4812	WScript.exe

Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Sets file execution options in registry 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Bav.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CertReg.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nnf.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psview.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERDelete.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWASER.EXE\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCS-Uninstall.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcome.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Proxy.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSHDLL64.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshclamwrap.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIPREUI.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quamgr.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServiceShell.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPWin.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshclamwrap.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMTray.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schmgr.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twsscan.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsorsp.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FProtTray.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanosvc.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWinMgr.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserReg.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econceal.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSessionAgent.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanpro.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpCmdRun.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDKBFltExe32.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcod.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSessionAgent.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcome.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UnThreat.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareService.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDScan.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldDS.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiFW.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWAGENT.EXE	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanosvc.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE\debugger = "svchost.exe"	regedit.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Control Panel\International\Geo\Nation	wscript.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EotRrJluLY.js	WScript.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\EotRrJluLY.js	WScript.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows\CurrentVersion\Run	WScript.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Y6O3SUOZUV = "\"C:\\Users\\Admin\\AppData\\Roaming\\EotRrJluLY.js\""	WScript.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\System32\test.txt	javaw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Kills process with taskkill 64 IoCs

evasion

pid	Process
764	taskkill.exe
3876	taskkill.exe
768	taskkill.exe
2028	taskkill.exe
3108	taskkill.exe
4676	taskkill.exe
2224	taskkill.exe
440	taskkill.exe
3644	taskkill.exe
4412	taskkill.exe
3384	taskkill.exe
4036	taskkill.exe
4500	taskkill.exe
2216	taskkill.exe
4360	taskkill.exe
2508	taskkill.exe
1348	taskkill.exe
2876	taskkill.exe
3084	taskkill.exe
3316	taskkill.exe
3636	taskkill.exe
4832	taskkill.exe
1684	taskkill.exe
1956	taskkill.exe
1732	taskkill.exe
988	taskkill.exe
3564	taskkill.exe
3292	taskkill.exe
2476	taskkill.exe
2896	taskkill.exe
1660	taskkill.exe
652	taskkill.exe
4764	taskkill.exe
4972	taskkill.exe
640	taskkill.exe
344	taskkill.exe
1716	taskkill.exe
4324	taskkill.exe
1052	taskkill.exe
4924	taskkill.exe
2448	taskkill.exe
4348	taskkill.exe
5016	taskkill.exe
1296	taskkill.exe
2516	taskkill.exe
204	taskkill.exe
3428	taskkill.exe
4444	taskkill.exe
4520	taskkill.exe
4220	taskkill.exe
2600	taskkill.exe
2680	taskkill.exe
1680	taskkill.exe
5016	taskkill.exe
1908	taskkill.exe
920	taskkill.exe
3676	taskkill.exe
3588	taskkill.exe
380	taskkill.exe
5100	taskkill.exe
4780	taskkill.exe
776	taskkill.exe
2488	taskkill.exe
4204	taskkill.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\Local Settings	wscript.exe

Runs .reg file with regedit 1 IoCs

pid	Process
5012	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	764	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	1964	taskkill.exe
Token: SeDebugPrivilege	3100	taskkill.exe
Token: SeDebugPrivilege	1676	taskkill.exe
Token: SeDebugPrivilege	4600	taskkill.exe
Token: SeDebugPrivilege	4540	taskkill.exe
Token: SeDebugPrivilege	3876	taskkill.exe
Token: SeDebugPrivilege	3384	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	1648	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	1732	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	4972	taskkill.exe
Token: SeDebugPrivilege	2940	taskkill.exe
Token: SeDebugPrivilege	4952	taskkill.exe
Token: SeDebugPrivilege	1492	taskkill.exe
Token: SeDebugPrivilege	3696	taskkill.exe
Token: SeDebugPrivilege	3284	taskkill.exe
Token: SeDebugPrivilege	4300	taskkill.exe
Token: SeDebugPrivilege	4992	taskkill.exe
Token: SeDebugPrivilege	4496	taskkill.exe
Token: SeDebugPrivilege	3556	taskkill.exe
Token: SeDebugPrivilege	3776	taskkill.exe
Token: SeDebugPrivilege	3424	taskkill.exe
Token: SeDebugPrivilege	4132	taskkill.exe
Token: SeDebugPrivilege	4708	taskkill.exe
Token: SeDebugPrivilege	4788	taskkill.exe
Token: SeDebugPrivilege	3884	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	4412	taskkill.exe
Token: SeDebugPrivilege	768	taskkill.exe
Token: SeDebugPrivilege	4056	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	820	taskkill.exe
Token: SeDebugPrivilege	3520	taskkill.exe
Token: SeDebugPrivilege	2028	taskkill.exe
Token: SeDebugPrivilege	64	taskkill.exe
Token: SeDebugPrivilege	1476	taskkill.exe
Token: SeDebugPrivilege	3636	taskkill.exe
Token: SeDebugPrivilege	2448	taskkill.exe
Token: SeDebugPrivilege	2436	taskkill.exe
Token: SeDebugPrivilege	1048	taskkill.exe
Token: SeDebugPrivilege	1840	taskkill.exe
Token: SeDebugPrivilege	4888	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	4764	taskkill.exe
Token: SeDebugPrivilege	4156	taskkill.exe
Token: SeDebugPrivilege	988	taskkill.exe
Token: SeDebugPrivilege	344	taskkill.exe
Token: SeDebugPrivilege	3108	taskkill.exe
Token: SeDebugPrivilege	1716	taskkill.exe
Token: SeDebugPrivilege	4228	taskkill.exe
Token: SeDebugPrivilege	3564	taskkill.exe
Token: SeDebugPrivilege	5072	taskkill.exe
Token: SeDebugPrivilege	4348	taskkill.exe
Token: SeDebugPrivilege	4592	taskkill.exe
Token: SeDebugPrivilege	2516	taskkill.exe
Token: SeDebugPrivilege	4676	taskkill.exe
Token: SeDebugPrivilege	4324	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2976	javaw.exe
2040	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3108 wrote to memory of 2796	3108	java.exe	85
PID 3108 wrote to memory of 2796	3108	java.exe	85
PID 2796 wrote to memory of 4812	2796	wscript.exe	86
PID 2796 wrote to memory of 4812	2796	wscript.exe	86
PID 2796 wrote to memory of 2976	2796	wscript.exe	87
PID 2796 wrote to memory of 2976	2796	wscript.exe	87
PID 2976 wrote to memory of 2040	2976	javaw.exe	88
PID 2976 wrote to memory of 2040	2976	javaw.exe	88
PID 2976 wrote to memory of 5064	2976	javaw.exe	91
PID 2976 wrote to memory of 5064	2976	javaw.exe	91
PID 2040 wrote to memory of 5024	2040	java.exe	92
PID 2040 wrote to memory of 5024	2040	java.exe	92
PID 5064 wrote to memory of 4544	5064	cmd.exe	95
PID 5064 wrote to memory of 4544	5064	cmd.exe	95
PID 5024 wrote to memory of 1036	5024	cmd.exe	96
PID 5024 wrote to memory of 1036	5024	cmd.exe	96
PID 2040 wrote to memory of 4288	2040	java.exe	100
PID 2040 wrote to memory of 4288	2040	java.exe	100
PID 2976 wrote to memory of 1468	2976	javaw.exe	99
PID 2976 wrote to memory of 1468	2976	javaw.exe	99
PID 1468 wrote to memory of 852	1468	cmd.exe	104
PID 1468 wrote to memory of 852	1468	cmd.exe	104
PID 4288 wrote to memory of 3796	4288	cmd.exe	103
PID 4288 wrote to memory of 3796	4288	cmd.exe	103
PID 2976 wrote to memory of 4156	2976	javaw.exe	105
PID 2976 wrote to memory of 4156	2976	javaw.exe	105
PID 2040 wrote to memory of 2524	2040	java.exe	107
PID 2040 wrote to memory of 2524	2040	java.exe	107
PID 2976 wrote to memory of 4904	2976	javaw.exe	110
PID 2976 wrote to memory of 4904	2976	javaw.exe	110
PID 2976 wrote to memory of 4412	2976	javaw.exe	113
PID 2976 wrote to memory of 4412	2976	javaw.exe	113
PID 2976 wrote to memory of 4420	2976	javaw.exe	115
PID 2976 wrote to memory of 4420	2976	javaw.exe	115
PID 4420 wrote to memory of 5012	4420	cmd.exe	117
PID 4420 wrote to memory of 5012	4420	cmd.exe	117
PID 2976 wrote to memory of 764	2976	javaw.exe	118
PID 2976 wrote to memory of 764	2976	javaw.exe	118
PID 2976 wrote to memory of 4868	2976	javaw.exe	120
PID 2976 wrote to memory of 4868	2976	javaw.exe	120
PID 2976 wrote to memory of 1964	2976	javaw.exe	123
PID 2976 wrote to memory of 1964	2976	javaw.exe	123
PID 2976 wrote to memory of 3100	2976	javaw.exe	125
PID 2976 wrote to memory of 3100	2976	javaw.exe	125
PID 2976 wrote to memory of 1676	2976	javaw.exe	128
PID 2976 wrote to memory of 1676	2976	javaw.exe	128
PID 2976 wrote to memory of 4600	2976	javaw.exe	130
PID 2976 wrote to memory of 4600	2976	javaw.exe	130
PID 2976 wrote to memory of 4540	2976	javaw.exe	132
PID 2976 wrote to memory of 4540	2976	javaw.exe	132
PID 2976 wrote to memory of 3876	2976	javaw.exe	134
PID 2976 wrote to memory of 3876	2976	javaw.exe	134
PID 2976 wrote to memory of 3384	2976	javaw.exe	137
PID 2976 wrote to memory of 3384	2976	javaw.exe	137
PID 2976 wrote to memory of 3976	2976	javaw.exe	138
PID 2976 wrote to memory of 3976	2976	javaw.exe	138
PID 2976 wrote to memory of 1648	2976	javaw.exe	140
PID 2976 wrote to memory of 1648	2976	javaw.exe	140
PID 2976 wrote to memory of 4764	2976	javaw.exe	142
PID 2976 wrote to memory of 4764	2976	javaw.exe	142
PID 2976 wrote to memory of 2752	2976	javaw.exe	144
PID 2976 wrote to memory of 2752	2976	javaw.exe	144
PID 2976 wrote to memory of 1732	2976	javaw.exe	146
PID 2976 wrote to memory of 1732	2976	javaw.exe	146

C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\PO-090-TCG-SG.jar
1⤵
- Suspicious use of WriteProcessMemory
PID:3108
- C:\Windows\SYSTEM32\wscript.exe
  wscript C:\Users\Admin\jjswbfmpkr.js
  2⤵
  - Checks computer location settings
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\System32\WScript.exe
    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\EotRrJluLY.js"
    3⤵
    - Blocklisted process makes network request
    - Drops startup file
    - Adds Run key to start application
    PID:4812
- - C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
    "C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\bixdsszddg.txt"
    3⤵
    - Drops file in System32 directory
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2976
  - - C:\Program Files\Java\jre1.8.0_66\bin\java.exe
      "C:\Program Files\Java\jre1.8.0_66\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.19844322723278843909023851822834099.class
      4⤵
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2040
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2171829258634001436.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:5024
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2171829258634001436.vbs
        6⤵
        
        PID:1036
    - - C:\Windows\SYSTEM32\cmd.exe
        
        cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8232765323767647558.vbs
        5⤵
        Suspicious use of WriteProcessMemory
        
        PID:4288
      - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8232765323767647558.vbs
        6⤵
        
        PID:3796
    - - C:\Windows\SYSTEM32\xcopy.exe
        
        xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
        5⤵
        
        PID:2524
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8310157283682935209.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:5064
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8310157283682935209.vbs
        5⤵
        
        PID:4544
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5446966286694821409.vbs
      4⤵
      Suspicious use of WriteProcessMemory
      PID:1468
    - - C:\Windows\system32\cscript.exe
        
        cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5446966286694821409.vbs
        5⤵
        
        PID:852
  - - C:\Windows\SYSTEM32\xcopy.exe
      xcopy "C:\Program Files\Java\jre1.8.0_66" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
      4⤵
      PID:4156
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe
      4⤵
      PID:4904
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM UserAccountControlSettings.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\tedOMLqJiY2387175954939911402.reg
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4420
    - - C:\Windows\regedit.exe
        
        regedit.exe /s C:\Users\Admin\AppData\Local\Temp\tedOMLqJiY2387175954939911402.reg
        5⤵
        UAC bypass
        Sets file execution options in registry
        Runs .reg file with regedit
        
        PID:5012
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM ProcessHacker.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:764
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM procexp.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4868
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MSASCui.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1964
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MsMpEng.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3100
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MpUXSrv.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1676
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MpCmdRun.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4600
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM NisSrv.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4540
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM ConfigSecurityPolicy.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3876
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM procexp.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3384
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM wireshark.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3976
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM tshark.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1648
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM text2pcap.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4764
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM rawshark.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2752
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM mergecap.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1732
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM editcap.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:5016
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM dumpcap.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4972
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM capinfos.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2940
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM mbam.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4952
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM mbamscheduler.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1492
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM mbamservice.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3696
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AdAwareService.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3284
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AdAwareTray.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4300
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM WebCompanion.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4992
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AdAwareDesktop.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4496
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM V3Main.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3556
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM V3Svc.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3776
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM V3Up.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3424
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM V3SP.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4132
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM V3Proxy.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4708
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM V3Medic.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4788
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BgScan.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3884
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BullGuard.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3316
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BullGuardBhvScanner.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4412
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BullGuarScanner.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:768
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM LittleHook.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4056
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BullGuardUpdate.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4228
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM clamscan.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:820
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM ClamTray.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3520
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM ClamWin.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM cis.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:64
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM CisTray.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1476
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM cmdagent.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3636
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM cavwp.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2448
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM dragon_updater.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:2436
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MWAGENT.EXE /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1048
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MWASER.EXE /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:1840
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM CONSCTLX.EXE /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4888
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM avpmapp.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:640
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM econceal.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:3792
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM escanmon.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4764
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM escanpro.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4156
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM TRAYSSER.EXE /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:988
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM TRAYICOS.EXE /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:344
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM econser.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3108
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM VIEWTCP.EXE /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:1716
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FSHDLL64.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4228
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM fsgk32.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:3564
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM fshoster32.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:5072
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FSMA32.EXE /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4348
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM fsorsp.exe /T /F
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:4592
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM fssm32.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:2516
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FSM32.EXE /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4676
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM trigger.exe /T /F
      4⤵
      Kills process with taskkill
      Suspicious use of AdjustPrivilegeToken
      PID:4324
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FProtTray.exe /T /F
      4⤵
      PID:2896
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FPWin.exe /T /F
      4⤵
      PID:5092
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FPAVServer.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4832
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AVK.exe /T /F
      4⤵
      PID:4588
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM GdBgInx64.exe /T /F
      4⤵
      Kills process with taskkill
      PID:1908
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AVKProxy.exe /T /F
      4⤵
      PID:540
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM GDScan.exe /T /F
      4⤵
      PID:1732
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AVKWCtlx64.exe /T /F
      4⤵
      Kills process with taskkill
      PID:920
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AVKService.exe /T /F
      4⤵
      Kills process with taskkill
      PID:3676
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AVKTray.exe /T /F
      4⤵
      PID:2224
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM GDKBFltExe32.exe /T /F
      4⤵
      PID:4292
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM GDSC.exe /T /F
      4⤵
      PID:756
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM virusutilities.exe /T /F
      4⤵
      PID:2228
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM guardxservice.exe /T /F
      4⤵
      PID:3300
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM guardxkickoff_x64.exe /T /F
      4⤵
      PID:4468
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM iptray.exe /T /F
      4⤵
      PID:3876
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM freshclam.exe /T /F
      4⤵
      Kills process with taskkill
      PID:3292
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM freshclamwrap.exe /T /F
      4⤵
      PID:4184
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7RTScan.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4036
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7FWSrvc.exe /T /F
      4⤵
      PID:2928
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7PSSrvc.exe /T /F
      4⤵
      Kills process with taskkill
      PID:1052
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7EmlPxy.EXE /T /F
      4⤵
      Kills process with taskkill
      PID:3588
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7TSecurity.exe /T /F
      4⤵
      PID:2340
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7AVScan.exe /T /F
      4⤵
      Kills process with taskkill
      PID:204
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7CrvSvc.exe /T /F
      4⤵
      Kills process with taskkill
      PID:5016
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7SysMon.Exe /T /F
      4⤵
      Kills process with taskkill
      PID:380
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7TSMain.exe /T /F
      4⤵
      PID:2504
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7TSMngr.exe /T /F
      4⤵
      PID:1932
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nanosvc.exe /T /F
      4⤵
      Kills process with taskkill
      PID:1684
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nanoav.exe /T /F
      4⤵
      PID:3788
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nnf.exe /T /F
      4⤵
      PID:1420
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nvcsvc.exe /T /F
      4⤵
      PID:4964
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nbrowser.exe /T /F
      4⤵
      PID:1588
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nseupdatesvc.exe /T /F
      4⤵
      PID:1000
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nfservice.exe /T /F
      4⤵
      PID:1964
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nwscmon.exe /T /F
      4⤵
      Kills process with taskkill
      PID:2476
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM njeeves2.exe /T /F
      4⤵
      PID:664
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nvcod.exe /T /F
      4⤵
      PID:3764
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nvoy.exe /T /F
      4⤵
      PID:2936
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM zlhh.exe /T /F
      4⤵
      PID:3140
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM Zlh.exe /T /F
      4⤵
      PID:2128
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM nprosec.exe /T /F
      4⤵
      Kills process with taskkill
      PID:2224
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM Zanda.exe /T /F
      4⤵
      Kills process with taskkill
      PID:2896
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM NS.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4924
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM acs.exe /T /F
      4⤵
      PID:4976
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM op_mon.exe /T /F
      4⤵
      PID:1148
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM PSANHost.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4500
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM PSUAMain.exe /T /F
      4⤵
      Kills process with taskkill
      PID:1660
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM PSUAService.exe /T /F
      4⤵
      PID:2036
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM AgentSvc.exe /T /F
      4⤵
      PID:4764
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BDSSVC.EXE /T /F
      4⤵
      PID:3612
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM EMLPROXY.EXE /T /F
      4⤵
      PID:4576
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM OPSSVC.EXE /T /F
      4⤵
      PID:4196
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM ONLINENT.EXE /T /F
      4⤵
      PID:4540
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM QUHLPSVC.EXE /T /F
      4⤵
      PID:1972
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SAPISSVC.EXE /T /F
      4⤵
      PID:3280
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SCANNER.EXE /T /F
      4⤵
      Kills process with taskkill
      PID:3428
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SCANWSCS.EXE /T /F
      4⤵
      PID:2932
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM scproxysrv.exe /T /F
      4⤵
      Kills process with taskkill
      PID:5100
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM ScSecSvc.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4220
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SUPERAntiSpyware.exe /T /F
      4⤵
      PID:4788
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SASCore64.exe /T /F
      4⤵
      PID:4676
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SSUpdate64.exe /T /F
      4⤵
      PID:2340
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SUPERDelete.exe /T /F
      4⤵
      PID:2476
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SASTask.exe /T /F
      4⤵
      PID:2900
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7RTScan.exe /T /F
      4⤵
      PID:2324
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7FWSrvc.exe /T /F
      4⤵
      PID:2772
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7PSSrvc.exe /T /F
      4⤵
      PID:1260
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7EmlPxy.EXE /T /F
      4⤵
      Kills process with taskkill
      PID:2216
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7TSecurity.exe /T /F
      4⤵
      PID:3980
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7AVScan.exe /T /F
      4⤵
      PID:3184
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7CrvSvc.exe /T /F
      4⤵
      Kills process with taskkill
      PID:1348
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7SysMon.Exe /T /F
      4⤵
      Kills process with taskkill
      PID:440
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7TSMain.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4360
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM K7TSMngr.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4780
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM uiWinMgr.exe /T /F
      4⤵
      PID:3320
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM uiWatchDog.exe /T /F
      4⤵
      PID:2112
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM uiSeAgnt.exe /T /F
      4⤵
      Kills process with taskkill
      PID:2600
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM PtWatchDog.exe /T /F
      4⤵
      PID:1288
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM PtSvcHost.exe /T /F
      4⤵
      PID:3644
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM PtSessionAgent.exe /T /F
      4⤵
      PID:2928
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM coreFrameworkHost.exe /T /F
      4⤵
      PID:4324
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM coreServiceShell.exe /T /F
      4⤵
      PID:3764
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM uiUpdateTray.exe /T /F
      4⤵
      PID:3788
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM VIPREUI.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4444
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SBAMSvc.exe /T /F
      4⤵
      PID:4576
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SBAMTray.exe /T /F
      4⤵
      PID:2564
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SBPIMSvc.exe /T /F
      4⤵
      PID:1196
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM bavhm.exe /T /F
      4⤵
      PID:544
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BavSvc.exe /T /F
      4⤵
      PID:4496
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BavTray.exe /T /F
      4⤵
      PID:1716
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM Bav.exe /T /F
      4⤵
      PID:2612
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BavWebClient.exe /T /F
      4⤵
      Kills process with taskkill
      PID:1296
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM BavUpdater.exe /T /F
      4⤵
      Kills process with taskkill
      PID:2876
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MCShieldCCC.exe /T /F
      4⤵
      PID:1524
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MCShieldRTM.exe /T /F
      4⤵
      PID:4484
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MCShieldDS.exe /T /F
      4⤵
      PID:5012
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM MCS-Uninstall.exe /T /F
      4⤵
      PID:4376
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SDScan.exe /T /F
      4⤵
      PID:1240
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SDFSSvc.exe /T /F
      4⤵
      PID:4168
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SDWelcome.exe /T /F
      4⤵
      Kills process with taskkill
      PID:2508
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM SDTray.exe /T /F
      4⤵
      PID:2856
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM UnThreat.exe /T /F
      4⤵
      Kills process with taskkill
      PID:652
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM utsvc.exe /T /F
      4⤵
      PID:3300
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FortiClient.exe /T /F
      4⤵
      PID:5104
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM fcappdb.exe /T /F
      4⤵
      Kills process with taskkill
      PID:776
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FCDBlog.exe /T /F
      4⤵
      PID:4404
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FCHelper64.exe /T /F
      4⤵
      Kills process with taskkill
      PID:2680
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM fmon.exe /T /F
      4⤵
      PID:2340
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FortiESNAC.exe /T /F
      4⤵
      PID:4300
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FortiProxy.exe /T /F
      4⤵
      PID:2380
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FortiSSLVPNdaemon.exe /T /F
      4⤵
      PID:440
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FortiTray.exe /T /F
      4⤵
      Kills process with taskkill
      PID:3644
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FortiFW.exe /T /F
      4⤵
      Kills process with taskkill
      PID:1680
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FortiClient_Diagnostic_Tool.exe /T /F
      4⤵
      PID:3912
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM av_task.exe /T /F
      4⤵
      Kills process with taskkill
      PID:2488
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM CertReg.exe /T /F
      4⤵
      PID:4180
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FilMsg.exe /T /F
      4⤵
      Kills process with taskkill
      PID:1956
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM FilUp.exe /T /F
      4⤵
      PID:3420
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM filwscc.exe /T /F
      4⤵
      Kills process with taskkill
      PID:3084
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM filwscc.exe /T /F
      4⤵
      PID:3308
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM psview.exe /T /F
      4⤵
      PID:1760
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM quamgr.exe /T /F
      4⤵
      PID:484
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM quamgr.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4204
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM schmgr.exe /T /F
      4⤵
      PID:4280
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM schmgr.exe /T /F
      4⤵
      Kills process with taskkill
      PID:4520
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM twsscan.exe /T /F
      4⤵
      PID:3588
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM twssrv.exe /T /F
      4⤵
      PID:2320
  - - C:\Windows\SYSTEM32\taskkill.exe
      taskkill /IM UserReg.exe /T /F
      4⤵
      PID:2792

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Bypass User Account Control

T1088

Defense Evasion

Bypass User Account Control

T1088

Disabling Security Tools

T1089

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
5968ef5fac4270bce1811ed4faa64f57

SHA1
8fe278a32d2f88ea5b0bb6f2c9af1a97466749d9

SHA256
bdd11b7a095460b95799fba297ed30ae174ef7fa43a29f4d0de059118a1979b7

SHA512
7115108f1a6ffca6c0dd3625eaaf399c36e64bac778a9d802fc67750e7da792ad3a232a68bcf7c9ce764eea32785b1a99290fb6f4226bd6eb27c9c64d2c07317

Download Submit
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp

Filesize
50B

MD5
cb1e7aad05454468787716a16e394c8f

SHA1
da3d84f9d8d5d4f2840f832c7981e04f86231656

SHA256
2febfa3d2b56f1d731c0f9ce4ea3b2fe32e45344c042ca55e3dad92514cb1440

SHA512
f1e37ead35a3139cb085d6105aa67ac105cac7950d8cd994ab561feeb0ef4c35caf4e4e5821b21ef4d6d0cfc2e6f5d87da65be017a98b865c35bddd7360ef79f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive2171829258634001436.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive5446966286694821409.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive8232765323767647558.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive8310157283682935209.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.19844322723278843909023851822834099.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\tedOMLqJiY2387175954939911402.reg

Filesize
27KB

MD5
22c27d345f6ceff99de5fe515991c4bf

SHA1
9c80dd9ffc77e2666281404f6452f5bd48d2bbcb

SHA256
45497c7ca76f29c6786a8835bc1925a5f6cd219403dce807fb34b98a630212b3

SHA512
6875b8b8c2c29860db7feb7afa95379d4ee1b027ba7f30547bb99c30bf11ffc7d69a914ab029d23c8ce2b2a36dffde5117e76ba639a6da9b349b62538740f773

Download Submit
C:\Users\Admin\AppData\Roaming\EotRrJluLY.js

Filesize
6KB

MD5
28d9f4027a8903158b47220090b56d39

SHA1
ea0eea902dd0cd61b240b08704d2af2e24629584

SHA256
a07719c7e92e77e37569d08027962c848eede48b0ac520afdb248b22c3133810

SHA512
4bf2a858f76981febcf743deea1513f0703fa5339030b03bb04e1c339b12e4d6e555991bc38865b878f67f696f2aaa3289730021bdf3ecde3ded48ce9ce91363

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2629973501-4017243118-3254762364-1000\83aa4cc77f591dfc2374580bbd95f6ba_e32e1c79-b88e-4709-94fb-81034ca3398e

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\bixdsszddg.txt

Filesize
479KB

MD5
afbe9330392991544c3d27eada315d5c

SHA1
ebd555c3cb3bcc6c3ac1177f79bde780c6178e52

SHA256
d80128b9e3b1ddd76b87cc0338cec93a76763dd20003d9808457418ad66635a0

SHA512
bf284394cfbac7c1d6320dbed54e51220a28c476930943f813f13fccdb689f8fb821eae32aac268baacd1dbab4d3e00f5b8dc8d19721b8266cc1173c079427b5

Download Submit
C:\Users\Admin\jjswbfmpkr.js

Filesize
903KB

MD5
50459d584e47a03736a85baf18a64793

SHA1
0888f95b6997e0e314df75b6b741b51bc6cf86b4

SHA256
a93302f536b29049498907e1fa7bd99b0b9bf11284453ffd0ffe213a135a6b2b

SHA512
3406ee86529c5fa97b725af0ab6e451e6a9ac7c483e49f428fde8eabf1f386d7720d42fe8de79f627d4bd2581302086d81c45162a40ff7135f2ecd34c77d47dd

Download Submit
memory/2040-228-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-214-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-230-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-203-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-204-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-232-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-246-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-208-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-229-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2040-171-0x0000000002B80000-0x0000000003B80000-memory.dmp

Filesize
16.0MB

Download
memory/2976-219-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-248-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-256-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-224-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-254-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-226-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-192-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-252-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-220-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-205-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-159-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-221-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-199-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-234-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-181-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-236-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-237-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-207-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-239-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/2976-215-0x0000000002DA0000-0x0000000003DA0000-memory.dmp

Filesize
16.0MB

Download
memory/3108-136-0x00000000032B0000-0x00000000042B0000-memory.dmp

Filesize
16.0MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads