Analysis Overview
SHA256
19dc38f5315c1169d8d3578202f9df5b75db5e3f8c79bd4ec2b1168851e40bb8
Threat Level: Known bad
The file c65d3ff20b9a591b41d0b575e70167ebd8963e003f619652660d0fa7adf84c9d.bin.sample.gz was found to be: Known bad.
Malicious Activity Summary
JAR file contains resources related to AdWind
AdWind
Sets file to hidden
Adds Run key to start application
Drops desktop.ini file(s)
Drops file in Program Files directory
Modifies registry key
Views/modifies file attributes
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2023-09-06 14:46
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2023-09-06 14:46
Reported
2023-09-06 14:49
Platform
win10v2004-20230831-en
Max time kernel
147s
Max time network
153s
Command Line
Signatures
AdWind
JAR file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sedwsds = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\xps\\swsrviaswa.jar\"" | C:\Windows\SYSTEM32\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2415528079-3794552930-4264847036-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sedwsds = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\xps\\swsrviaswa.jar\"" | C:\Windows\SYSTEM32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javasupdadtesw = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\javasupdadtes\\javasupdadtew.jar\"" | C:\Windows\SYSTEM32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\javasupdadtesw = "\"C:\\Program Files\\Java\\jre1.8.0_66\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\javasupdadtes\\javasupdadtew.jar\"" | C:\Windows\SYSTEM32\reg.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\xps\Desktop.ini | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\xps\Desktop.ini | C:\Windows\SYSTEM32\attrib.exe | N/A |
| File created | C:\Users\Admin\AppData\Roaming\javasupdadtes\Desktop.ini | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\javasupdadtes\Desktop.ini | C:\Windows\SYSTEM32\attrib.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\dll\jvm.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\dll\ntdll.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\ntdll.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\jvm.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\jvm.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\jvm.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\ntdll.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\symbols\dll\ntdll.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\dll\ntdll.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\symbols\dll\ntdll.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\jvm.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
| File opened for modification | C:\Program Files\Java\jre1.8.0_66\bin\server\dll\jvm.pdb | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\ProgramData\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\sample.jar
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd80204470572918719250exeadmis6.jar
C:\ProgramData\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd4277562502419898061dede2.jar
C:\Windows\SYSTEM32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sedwsds /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar\"" /f
C:\Windows\SYSTEM32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v sedwsds /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar\"" /f
C:\Windows\SYSTEM32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\xps\*.*"
C:\Windows\SYSTEM32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\xps"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar"
C:\Windows\SYSTEM32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v javasupdadtesw /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\javasupdadtes\javasupdadtew.jar\"" /f
C:\Windows\SYSTEM32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v javasupdadtesw /f
C:\Windows\SYSTEM32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\javasupdadtes\*.*"
C:\Windows\SYSTEM32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\javasupdadtes"
C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe
"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\javasupdadtes\javasupdadtew.jar"
C:\Windows\SYSTEM32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v javasupdadtesw /t REG_SZ /d "\"C:\Program Files\Java\jre1.8.0_66\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\javasupdadtes\javasupdadtew.jar\"" /f
C:\Windows\SYSTEM32\reg.exe
reg delete HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v javasupdadtesw /f
C:\Windows\SYSTEM32\attrib.exe
attrib +H C:\Users\Admin\.Plugins3
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 2.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.154.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 240.221.184.93.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | abdo00.publicvm.com | udp |
| US | 198.204.241.158:33 | abdo00.publicvm.com | tcp |
| US | 8.8.8.8:53 | 83.121.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.16.208.104.in-addr.arpa | udp |
| US | 198.204.241.158:33 | abdo00.publicvm.com | tcp |
Files
memory/460-4-0x0000000003050000-0x0000000004050000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd80204470572918719250exeadmis6.jar
| MD5 | 3d95e909a81dd81283604f6fe0b909b0 |
| SHA1 | b6c4144f5be00ef49c47b56ff7a62b5809f8746b |
| SHA256 | 21a4fabdbabfbd936aa14762f2f139d3049e46812efbe3d1febd7dca1d599a54 |
| SHA512 | 68c0a4ac0673392dfe53ae276aceb6de1e71613c74817e3eac760ecac185f6997d1346696ad5982502095e40f9dff0bbe60d36fd6f849a6211a5d061b9de80aa |
memory/460-33-0x0000000002DC0000-0x0000000002DC1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd4277562502419898061dede2.jar
| MD5 | c2c4d5760b4acd6722c6052d52fd21c0 |
| SHA1 | 4cf6240fae1338c7eb0cf1534e7e820f57b3b9e7 |
| SHA256 | a7ee7cfbd2461230da7eb919f9eb58f2d3fa54a4892307cea0f339189ebede28 |
| SHA512 | 8f34b983664635c5ec7f0af4b47a1e90ea3abac64c5f5bf62d215cef2d3c32af5438ce0576c805bc3bd1978f6cef66cd08ef80a87c4ce4b269d7a27e42bd0d1e |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | bcdc2925291c5c868ace4644e258b61c |
| SHA1 | 0b19ea30a71e2a1356711e8cf67f658f485460d9 |
| SHA256 | 2c1eb18cf9f37f0d50e5a7c8b8c2a1ab96af1bccc07e0208904a43ff8d282bf9 |
| SHA512 | d970c0d13b4dc7387cffc449f3e6d71bae5b3f54d4e9ea3262738fd01c8bf58546e74ca328d23009c66611e8d1000cd201aea34441391d94a61a129c4e77c2bf |
memory/3780-47-0x0000000002EB0000-0x0000000003EB0000-memory.dmp
memory/3780-53-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
memory/3780-56-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 436c8131b28c734ebc71a3865b92cc0a |
| SHA1 | 4141cb27b16c1e664f59cd7c68272fa5ae299b3e |
| SHA256 | 2588a4ec5b032295abe81fce66eae22719d8c7f3adeb9153fcfb0357c17a03fa |
| SHA512 | e59985ab08e833533e566911f06ce6cf4c7c46c3de1b7613fc3a65029277a5bad1f0048ecf7c0ddb57fa7a207fbdffbb166a279b125a90176bb765daeed7296a |
memory/4632-61-0x00000000031E0000-0x00000000041E0000-memory.dmp
memory/4632-69-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/3780-74-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
memory/3780-79-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
memory/4632-85-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
memory/4632-91-0x00000000031E0000-0x00000000041E0000-memory.dmp
C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar
| MD5 | c2c4d5760b4acd6722c6052d52fd21c0 |
| SHA1 | 4cf6240fae1338c7eb0cf1534e7e820f57b3b9e7 |
| SHA256 | a7ee7cfbd2461230da7eb919f9eb58f2d3fa54a4892307cea0f339189ebede28 |
| SHA512 | 8f34b983664635c5ec7f0af4b47a1e90ea3abac64c5f5bf62d215cef2d3c32af5438ce0576c805bc3bd1978f6cef66cd08ef80a87c4ce4b269d7a27e42bd0d1e |
memory/4632-104-0x0000000002DE0000-0x0000000002DE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\xps\Desktop.ini
| MD5 | e783bdd20a976eaeaae1ff4624487420 |
| SHA1 | c2a44fab9df00b3e11582546b16612333c2f9286 |
| SHA256 | 2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3 |
| SHA512 | 8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 4c2dc134598979669eafa82f7a7af7de |
| SHA1 | a02199bac803887066316e20f8b39007e81766aa |
| SHA256 | 58f3d7dbe8dcfe717eb81f1d496c4a2c3c4d4b44b0770047d2aeacf514821e62 |
| SHA512 | e60cac58f966148cf70f938ab1b55276e5f85fce3306d480f4ae2f618ba91db3138e9913d074a9d9d92337db735ad9ee2ebd2007b40e25327308fd5114e4dae4 |
memory/4632-112-0x0000000003460000-0x0000000003470000-memory.dmp
memory/4632-114-0x00000000031E0000-0x00000000041E0000-memory.dmp
memory/4176-116-0x0000000001310000-0x0000000001311000-memory.dmp
memory/4176-121-0x0000000002FE0000-0x0000000003FE0000-memory.dmp
memory/3780-123-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
memory/3780-124-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
C:\Users\Admin\AppData\Roaming\javasupdadtes\javasupdadtew.jar
| MD5 | 3d95e909a81dd81283604f6fe0b909b0 |
| SHA1 | b6c4144f5be00ef49c47b56ff7a62b5809f8746b |
| SHA256 | 21a4fabdbabfbd936aa14762f2f139d3049e46812efbe3d1febd7dca1d599a54 |
| SHA512 | 68c0a4ac0673392dfe53ae276aceb6de1e71613c74817e3eac760ecac185f6997d1346696ad5982502095e40f9dff0bbe60d36fd6f849a6211a5d061b9de80aa |
C:\Users\Admin\AppData\Roaming\javasupdadtes\Desktop.ini
| MD5 | e783bdd20a976eaeaae1ff4624487420 |
| SHA1 | c2a44fab9df00b3e11582546b16612333c2f9286 |
| SHA256 | 2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3 |
| SHA512 | 8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80 |
C:\Users\Admin\.oracle_jre_usage\90737d32e3aba4b.timestamp
| MD5 | 0159d8bff2a2e7bc3c14a1311671b7a5 |
| SHA1 | d5d2024b34b4e7a086034d116c4ae6aa34267ca5 |
| SHA256 | 0143e9d784c90b082298e74cb0b5d34b9139a736466811a9d8115311b2048821 |
| SHA512 | c6947f840ba01b356489a2cd95183f087e8d40d775f0e5081ab626be51d1cd6246f10a71c481f23556aeb45c2f9fc6cdc3d8765cce6f30ad0fc2bf273e0ccc5c |
memory/4760-153-0x0000000002B00000-0x0000000003B00000-memory.dmp
memory/3780-154-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
memory/4760-156-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/3780-157-0x0000000002BB0000-0x0000000002BB1000-memory.dmp
memory/4760-158-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/4760-164-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/4760-175-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/4760-177-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/4760-182-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/4760-186-0x0000000000E50000-0x0000000000E51000-memory.dmp
memory/4632-197-0x00000000031E0000-0x00000000041E0000-memory.dmp
memory/4176-198-0x0000000002FE0000-0x0000000003FE0000-memory.dmp
memory/4760-199-0x0000000002B00000-0x0000000003B00000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2023-09-06 14:46
Reported
2023-09-06 14:49
Platform
win7-20230831-en
Max time kernel
149s
Max time network
138s
Command Line
Signatures
AdWind
JAR file contains resources related to AdWind
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3513876443-2771975297-1923446376-1000\Software\Microsoft\Windows\CurrentVersion\Run\sedwsds = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\xps\\swsrviaswa.jar\"" | C:\Windows\system32\reg.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sedwsds = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\AppData\\Roaming\\xps\\swsrviaswa.jar\"" | C:\Windows\system32\reg.exe | N/A |
Drops desktop.ini file(s)
| Description | Indicator | Process | Target |
| File created | C:\Users\Admin\AppData\Roaming\xps\Desktop.ini | C:\Windows\system32\java.exe | N/A |
| File opened for modification | C:\Users\Admin\AppData\Roaming\xps\Desktop.ini | C:\Windows\system32\attrib.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\java.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\sample.jar
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd44835801984083158950exeadmis6.jar
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd28630915366792669791dede2.jar
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v sedwsds /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar\"" /f
C:\Windows\system32\reg.exe
reg add HKLM\Software\Microsoft\Windows\CurrentVersion\Run /v sedwsds /t REG_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar\"" /f
C:\Windows\system32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\xps\*.*"
C:\Windows\system32\attrib.exe
attrib +s +h +r "C:\Users\Admin\AppData\Roaming\xps"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar "C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar"
Network
Files
memory/2408-9-0x0000000002170000-0x0000000005170000-memory.dmp
memory/2408-28-0x0000000000320000-0x0000000000321000-memory.dmp
memory/2408-33-0x0000000000320000-0x0000000000321000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd28630915366792669791dede2.jar
| MD5 | c2c4d5760b4acd6722c6052d52fd21c0 |
| SHA1 | 4cf6240fae1338c7eb0cf1534e7e820f57b3b9e7 |
| SHA256 | a7ee7cfbd2461230da7eb919f9eb58f2d3fa54a4892307cea0f339189ebede28 |
| SHA512 | 8f34b983664635c5ec7f0af4b47a1e90ea3abac64c5f5bf62d215cef2d3c32af5438ce0576c805bc3bd1978f6cef66cd08ef80a87c4ce4b269d7a27e42bd0d1e |
C:\Users\Admin\AppData\Local\Temp\asdqwdoiqjwdomasdlkasmdklasd44835801984083158950exeadmis6.jar
| MD5 | 3d95e909a81dd81283604f6fe0b909b0 |
| SHA1 | b6c4144f5be00ef49c47b56ff7a62b5809f8746b |
| SHA256 | 21a4fabdbabfbd936aa14762f2f139d3049e46812efbe3d1febd7dca1d599a54 |
| SHA512 | 68c0a4ac0673392dfe53ae276aceb6de1e71613c74817e3eac760ecac185f6997d1346696ad5982502095e40f9dff0bbe60d36fd6f849a6211a5d061b9de80aa |
memory/2616-50-0x0000000002150000-0x0000000005150000-memory.dmp
memory/2616-56-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2504-57-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2616-61-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2616-67-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2504-72-0x0000000002240000-0x0000000005240000-memory.dmp
memory/2504-78-0x0000000000130000-0x0000000000131000-memory.dmp
memory/2616-79-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2616-80-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/2616-90-0x0000000002150000-0x0000000005150000-memory.dmp
C:\Users\Admin\AppData\Roaming\xps\Desktop.ini
| MD5 | e783bdd20a976eaeaae1ff4624487420 |
| SHA1 | c2a44fab9df00b3e11582546b16612333c2f9286 |
| SHA256 | 2f65fa9c7ed712f493782abf91467f869419a2f8b5adf23b44019c08190fa3f3 |
| SHA512 | 8c883678e4625ef44f4885b8c6d7485196774f9cb0b9eee7dd18711749bcae474163df9965effcd13ecd1a33cd7265010c152f8504d6013e4f4d85d68a901a80 |
C:\Users\Admin\AppData\Roaming\xps\swsrviaswa.jar
| MD5 | c2c4d5760b4acd6722c6052d52fd21c0 |
| SHA1 | 4cf6240fae1338c7eb0cf1534e7e820f57b3b9e7 |
| SHA256 | a7ee7cfbd2461230da7eb919f9eb58f2d3fa54a4892307cea0f339189ebede28 |
| SHA512 | 8f34b983664635c5ec7f0af4b47a1e90ea3abac64c5f5bf62d215cef2d3c32af5438ce0576c805bc3bd1978f6cef66cd08ef80a87c4ce4b269d7a27e42bd0d1e |
memory/2504-106-0x0000000002240000-0x0000000005240000-memory.dmp
memory/2616-104-0x00000000001B0000-0x00000000001B1000-memory.dmp
memory/1088-108-0x0000000002140000-0x0000000005140000-memory.dmp
memory/1088-119-0x00000000001A0000-0x00000000001A1000-memory.dmp