adwind | 5e241deca646a788ca280904f5e1b0695a8e34c40eff15685537f7015c9c3ce8

Analysis

max time kernel
149s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 15:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fc9f32394bf372a050a1869d13b52dc9_JaffaCakes118.jar
Size

552KB
MD5

fc9f32394bf372a050a1869d13b52dc9
SHA1

870e513747454df3385976372e9e956d60f94ac9
SHA256

5e241deca646a788ca280904f5e1b0695a8e34c40eff15685537f7015c9c3ce8
SHA512

cda2dc28da444862db060092cf5eb1934e37eb1f17386e07ac26af957ec813f62671e7f988b4f6362338dcd69291bb95a56e973985a5bab63ea5c31b390b5f1a
SSDEEP

12288:T+Ciw0rWW2sEvbF+XUajETInyW4oD/x0mmxkMyb0qeI3oYh:Qw06W2T+XUS1yroLtM2TeCph

Score

10^/10

adwind evasion persistence trojan

Malware Config

Signatures

AdWind
A Java-based RAT family operated as malware-as-a-service.
trojan adwind

UAC bypass 3 TTPs 4 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	regedit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	regedit.exe

Disables Task Manager via registry modification
evasion
Disables use of System Restore points 1 TTPs
evasion

Inhibit System Recovery
T1490

Event Triggered Execution: Image File Execution Options Injection 1 TTPs 64 IoCs

persistence

Image File Execution Options Injection

T1546.012

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psview.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\njeeves2.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchDog.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiESNAC.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nseupdatesvc.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreServiceShell.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\virusutilities.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshclamwrap.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nfservice.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDKBFltExe32.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshclam.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EMLPROXY.EXE\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWin.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanmon.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASTask.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBPIMSvc.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\EMLPROXY.EXE	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtWatchDog.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psview.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Up.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYSSER.EXE	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAMain.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\quamgr.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScSecSvc.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIEWTCP.EXE\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ONLINENT.EXE	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAPISSVC.EXE	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANWSCS.EXE\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff_x64.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERAntiSpyware.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIPREUI.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dumpcap.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LittleHook.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavwp.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trigger.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDScan.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FCHelper64.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiTray.exe	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcome.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twssrv.exe\debugger = "svchost.exe"	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavwp.exe\debugger = "svchost.exe"	regedit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe	regedit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nseupdatesvc.exe\debugger = "svchost.exe"	regedit.exe

Drops file in System32 directory 2 IoCs

description	ioc	Process
File created	C:\Windows\System32\test.txt	java.exe
File opened for modification	C:\Windows\System32\test.txt	java.exe

Kills process with taskkill 64 IoCs

evasion

pid	Process
2884	taskkill.exe
3880	taskkill.exe
4736	taskkill.exe
3292	taskkill.exe
2280	taskkill.exe
2752	taskkill.exe
3400	taskkill.exe
212	taskkill.exe
4380	taskkill.exe
1036	taskkill.exe
4352	taskkill.exe
3976	taskkill.exe
3800	taskkill.exe
1156	taskkill.exe
2132	taskkill.exe
4128	taskkill.exe
1832	taskkill.exe
1776	taskkill.exe
2904	taskkill.exe
4044	taskkill.exe
3108	taskkill.exe
952	taskkill.exe
4760	taskkill.exe
4948	taskkill.exe
640	taskkill.exe
232	taskkill.exe
4356	taskkill.exe
3948	taskkill.exe
2948	taskkill.exe
3972	taskkill.exe
4912	taskkill.exe
1576	taskkill.exe
628	taskkill.exe
4536	taskkill.exe
3680	taskkill.exe
3380	taskkill.exe
540	taskkill.exe
2416	taskkill.exe
3852	taskkill.exe
3712	taskkill.exe
4408	taskkill.exe
788	taskkill.exe
5016	taskkill.exe
4836	taskkill.exe
5008	taskkill.exe
3788	taskkill.exe
3680	taskkill.exe
3976	taskkill.exe
1500	taskkill.exe
4008	taskkill.exe
3384	taskkill.exe
2984	taskkill.exe
3408	taskkill.exe
4704	taskkill.exe
2892	taskkill.exe
4088	taskkill.exe
4784	taskkill.exe
4344	taskkill.exe
2396	taskkill.exe
4764	taskkill.exe
1540	taskkill.exe
952	taskkill.exe
4708	taskkill.exe
3248	taskkill.exe

Runs .reg file with regedit 1 IoCs

pid	Process
1100	regedit.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	1036	taskkill.exe
Token: SeDebugPrivilege	4344	taskkill.exe
Token: SeDebugPrivilege	4772	taskkill.exe
Token: SeDebugPrivilege	4868	taskkill.exe
Token: SeDebugPrivilege	3216	taskkill.exe
Token: SeDebugPrivilege	4808	taskkill.exe
Token: SeDebugPrivilege	2152	taskkill.exe
Token: SeDebugPrivilege	3244	taskkill.exe
Token: SeDebugPrivilege	1684	taskkill.exe
Token: SeDebugPrivilege	3316	taskkill.exe
Token: SeDebugPrivilege	3700	taskkill.exe
Token: SeDebugPrivilege	3816	taskkill.exe
Token: SeDebugPrivilege	2976	taskkill.exe
Token: SeDebugPrivilege	4760	taskkill.exe
Token: SeDebugPrivilege	3976	taskkill.exe
Token: SeDebugPrivilege	1052	taskkill.exe
Token: SeDebugPrivilege	4948	taskkill.exe
Token: SeDebugPrivilege	2416	taskkill.exe
Token: SeDebugPrivilege	5028	taskkill.exe
Token: SeDebugPrivilege	4140	taskkill.exe
Token: SeDebugPrivilege	3000	taskkill.exe
Token: SeDebugPrivilege	2352	taskkill.exe
Token: SeDebugPrivilege	3880	taskkill.exe
Token: SeDebugPrivilege	1224	taskkill.exe
Token: SeDebugPrivilege	2396	taskkill.exe
Token: SeDebugPrivilege	1776	taskkill.exe
Token: SeDebugPrivilege	384	taskkill.exe
Token: SeDebugPrivilege	3528	taskkill.exe
Token: SeDebugPrivilege	4696	taskkill.exe
Token: SeDebugPrivilege	2864	taskkill.exe
Token: SeDebugPrivilege	4008	taskkill.exe
Token: SeDebugPrivilege	2280	taskkill.exe
Token: SeDebugPrivilege	1016	taskkill.exe
Token: SeDebugPrivilege	4620	taskkill.exe
Token: SeDebugPrivilege	2904	taskkill.exe
Token: SeDebugPrivilege	3736	taskkill.exe
Token: SeDebugPrivilege	1156	taskkill.exe
Token: SeDebugPrivilege	3632	taskkill.exe
Token: SeDebugPrivilege	628	taskkill.exe
Token: SeDebugPrivilege	2752	taskkill.exe
Token: SeDebugPrivilege	5016	taskkill.exe
Token: SeDebugPrivilege	1936	taskkill.exe
Token: SeDebugPrivilege	1340	taskkill.exe
Token: SeDebugPrivilege	3184	taskkill.exe
Token: SeDebugPrivilege	4704	taskkill.exe
Token: SeDebugPrivilege	3872	taskkill.exe
Token: SeDebugPrivilege	3020	taskkill.exe
Token: SeDebugPrivilege	5008	taskkill.exe
Token: SeDebugPrivilege	3852	taskkill.exe
Token: SeDebugPrivilege	4356	taskkill.exe
Token: SeDebugPrivilege	4352	taskkill.exe
Token: SeDebugPrivilege	4536	taskkill.exe
Token: SeDebugPrivilege	2156	taskkill.exe
Token: SeDebugPrivilege	3948	taskkill.exe
Token: SeDebugPrivilege	640	taskkill.exe
Token: SeDebugPrivilege	5060	taskkill.exe
Token: SeDebugPrivilege	3232	taskkill.exe
Token: SeDebugPrivilege	3400	taskkill.exe
Token: SeDebugPrivilege	2984	taskkill.exe
Token: SeDebugPrivilege	3408	taskkill.exe
Token: SeDebugPrivilege	3792	taskkill.exe
Token: SeDebugPrivilege	4280	taskkill.exe
Token: SeDebugPrivilege	4736	taskkill.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
3152	java.exe
2808	java.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3152 wrote to memory of 2808	3152	java.exe	83
PID 3152 wrote to memory of 2808	3152	java.exe	83
PID 3152 wrote to memory of 3588	3152	java.exe	85
PID 3152 wrote to memory of 3588	3152	java.exe	85
PID 3588 wrote to memory of 3044	3588	cmd.exe	87
PID 3588 wrote to memory of 3044	3588	cmd.exe	87
PID 3152 wrote to memory of 2804	3152	java.exe	88
PID 3152 wrote to memory of 2804	3152	java.exe	88
PID 2804 wrote to memory of 1860	2804	cmd.exe	90
PID 2804 wrote to memory of 1860	2804	cmd.exe	90
PID 3152 wrote to memory of 2304	3152	java.exe	91
PID 3152 wrote to memory of 2304	3152	java.exe	91
PID 2808 wrote to memory of 3196	2808	java.exe	93
PID 2808 wrote to memory of 3196	2808	java.exe	93
PID 3196 wrote to memory of 4896	3196	cmd.exe	95
PID 3196 wrote to memory of 4896	3196	cmd.exe	95
PID 2808 wrote to memory of 2952	2808	java.exe	96
PID 2808 wrote to memory of 2952	2808	java.exe	96
PID 2952 wrote to memory of 2000	2952	cmd.exe	98
PID 2952 wrote to memory of 2000	2952	cmd.exe	98
PID 2808 wrote to memory of 4876	2808	java.exe	99
PID 2808 wrote to memory of 4876	2808	java.exe	99
PID 3152 wrote to memory of 4080	3152	java.exe	101
PID 3152 wrote to memory of 4080	3152	java.exe	101
PID 3152 wrote to memory of 3976	3152	java.exe	103
PID 3152 wrote to memory of 3976	3152	java.exe	103
PID 3152 wrote to memory of 3456	3152	java.exe	104
PID 3152 wrote to memory of 3456	3152	java.exe	104
PID 3456 wrote to memory of 1100	3456	cmd.exe	107
PID 3456 wrote to memory of 1100	3456	cmd.exe	107
PID 3152 wrote to memory of 1036	3152	java.exe	109
PID 3152 wrote to memory of 1036	3152	java.exe	109
PID 3152 wrote to memory of 4344	3152	java.exe	111
PID 3152 wrote to memory of 4344	3152	java.exe	111
PID 3152 wrote to memory of 4772	3152	java.exe	113
PID 3152 wrote to memory of 4772	3152	java.exe	113
PID 3152 wrote to memory of 4868	3152	java.exe	115
PID 3152 wrote to memory of 4868	3152	java.exe	115
PID 3152 wrote to memory of 3216	3152	java.exe	119
PID 3152 wrote to memory of 3216	3152	java.exe	119
PID 3152 wrote to memory of 4808	3152	java.exe	122
PID 3152 wrote to memory of 4808	3152	java.exe	122
PID 3152 wrote to memory of 2152	3152	java.exe	124
PID 3152 wrote to memory of 2152	3152	java.exe	124
PID 3152 wrote to memory of 3244	3152	java.exe	126
PID 3152 wrote to memory of 3244	3152	java.exe	126
PID 3152 wrote to memory of 1684	3152	java.exe	129
PID 3152 wrote to memory of 1684	3152	java.exe	129
PID 3152 wrote to memory of 3316	3152	java.exe	131
PID 3152 wrote to memory of 3316	3152	java.exe	131
PID 3152 wrote to memory of 3700	3152	java.exe	133
PID 3152 wrote to memory of 3700	3152	java.exe	133
PID 3152 wrote to memory of 3816	3152	java.exe	137
PID 3152 wrote to memory of 3816	3152	java.exe	137
PID 3152 wrote to memory of 2976	3152	java.exe	139
PID 3152 wrote to memory of 2976	3152	java.exe	139
PID 3152 wrote to memory of 4760	3152	java.exe	141
PID 3152 wrote to memory of 4760	3152	java.exe	141
PID 3152 wrote to memory of 3976	3152	java.exe	143
PID 3152 wrote to memory of 3976	3152	java.exe	143
PID 3152 wrote to memory of 1052	3152	java.exe	145
PID 3152 wrote to memory of 1052	3152	java.exe	145
PID 3152 wrote to memory of 4948	3152	java.exe	147
PID 3152 wrote to memory of 4948	3152	java.exe	147

C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\fc9f32394bf372a050a1869d13b52dc9_JaffaCakes118.jar
1⤵
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3152
- C:\Program Files\Java\jre-1.8\bin\java.exe
  "C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.52656664691689062993344591949828707.class
  2⤵
  - Drops file in System32 directory
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2808
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3710614788983916875.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3196
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3710614788983916875.vbs
      4⤵
      PID:4896
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8294758539232522632.vbs
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\system32\cscript.exe
      cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8294758539232522632.vbs
      4⤵
      PID:2000
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe
    3⤵
    PID:4876
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6482478570901060948.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3588
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6482478570901060948.vbs
    3⤵
    PID:3044
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9104637138650907932.vbs
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\system32\cscript.exe
    cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9104637138650907932.vbs
    3⤵
    PID:1860
- C:\Windows\SYSTEM32\xcopy.exe
  xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
  2⤵
  PID:2304
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe
  2⤵
  PID:4080
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM UserAccountControlSettings.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\SYSTEM32\cmd.exe
  cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\BmgOKehYEU8838374366179021295.reg
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\regedit.exe
    regedit.exe /s C:\Users\Admin\AppData\Local\Temp\BmgOKehYEU8838374366179021295.reg
    3⤵
    - UAC bypass
    - Event Triggered Execution: Image File Execution Options Injection
    - Runs .reg file with regedit
    PID:1100
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM Taskmgr.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM ProcessHacker.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4344
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM procexp.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4772
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM MSASCui.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4868
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM MsMpEng.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3216
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM MpUXSrv.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4808
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM MpCmdRun.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2152
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM NisSrv.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3244
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM ConfigSecurityPolicy.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1684
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM procexp.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3316
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM wireshark.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3700
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM tshark.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3816
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM text2pcap.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2976
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM rawshark.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4760
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM mergecap.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3976
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM editcap.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1052
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM dumpcap.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4948
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM capinfos.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2416
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM mbam.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5028
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM mbamscheduler.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4140
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM mbamservice.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3000
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AdAwareService.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2352
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AdAwareTray.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3880
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM WebCompanion.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1224
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AdAwareDesktop.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2396
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM V3Main.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:1776
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM V3Svc.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:384
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM V3Up.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3528
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM V3SP.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4696
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM V3Proxy.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2864
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM V3Medic.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4008
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM BgScan.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2280
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM BullGuard.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1016
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM BullGuardBhvScanner.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4620
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM BullGuarScanner.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2904
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM LittleHook.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3736
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM BullGuardUpdate.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1156
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM clamscan.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3632
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM ClamTray.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:628
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM ClamWin.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2752
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM cis.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5016
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM CisTray.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1936
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM cmdagent.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1340
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM cavwp.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3184
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM dragon_updater.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4704
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM MWAGENT.EXE /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3872
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM MWASER.EXE /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3020
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM CONSCTLX.EXE /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:5008
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM avpmapp.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3852
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM econceal.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4356
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM escanmon.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4352
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM escanpro.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4536
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM TRAYSSER.EXE /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2156
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM TRAYICOS.EXE /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3948
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM econser.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:640
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM VIEWTCP.EXE /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5060
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM FSHDLL64.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3232
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM fsgk32.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3400
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM fshoster32.exe /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:2984
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM FSMA32.EXE /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:3408
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM fsorsp.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3792
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM fssm32.exe /T /F
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4280
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM FSM32.EXE /T /F
  2⤵
  - Kills process with taskkill
  - Suspicious use of AdjustPrivilegeToken
  PID:4736
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM trigger.exe /T /F
  2⤵
  PID:1688
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM FProtTray.exe /T /F
  2⤵
  PID:1252
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM FPWin.exe /T /F
  2⤵
  PID:4224
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM FPAVServer.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:1500
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AVK.exe /T /F
  2⤵
  PID:4348
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM GdBgInx64.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3248
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AVKProxy.exe /T /F
  2⤵
  PID:3788
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM GDScan.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:4836
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AVKWCtlx64.exe /T /F
  2⤵
  PID:3680
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AVKService.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:232
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AVKTray.exe /T /F
  2⤵
  PID:3572
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM GDKBFltExe32.exe /T /F
  2⤵
  PID:4976
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM GDSC.exe /T /F
  2⤵
  PID:948
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM virusutilities.exe /T /F
  2⤵
  PID:1532
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM guardxservice.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3292
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM guardxkickoff_x64.exe /T /F
  2⤵
  PID:2908
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM iptray.exe /T /F
  2⤵
  PID:4516
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM freshclam.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:212
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM freshclamwrap.exe /T /F
  2⤵
  PID:1920
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7RTScan.exe /T /F
  2⤵
  PID:3244
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7FWSrvc.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3712
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7PSSrvc.exe /T /F
  2⤵
  PID:2140
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7EmlPxy.EXE /T /F
  2⤵
  - Kills process with taskkill
  PID:4408
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7TSecurity.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:4044
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7AVScan.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:4764
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7CrvSvc.exe /T /F
  2⤵
  PID:2476
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7SysMon.Exe /T /F
  2⤵
  PID:4552
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7TSMain.exe /T /F
  2⤵
  PID:968
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7TSMngr.exe /T /F
  2⤵
  PID:4088
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nanosvc.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:1540
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nanoav.exe /T /F
  2⤵
  PID:4500
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nnf.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:1156
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nvcsvc.exe /T /F
  2⤵
  PID:1624
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nbrowser.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3680
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nseupdatesvc.exe /T /F
  2⤵
  PID:1408
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nfservice.exe /T /F
  2⤵
  PID:2228
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nwscmon.exe /T /F
  2⤵
  PID:2012
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM njeeves2.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3380
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nvcod.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3800
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nvoy.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:2892
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM zlhh.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:2132
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM Zlh.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:540
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM nprosec.exe /T /F
  2⤵
  PID:3244
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM Zanda.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:2948
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM NS.exe /T /F
  2⤵
  PID:3336
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM acs.exe /T /F
  2⤵
  PID:4940
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM op_mon.exe /T /F
  2⤵
  PID:2452
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM PSANHost.exe /T /F
  2⤵
  PID:3704
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM PSUAMain.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:4128
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM PSUAService.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:952
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM AgentSvc.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3788
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM BDSSVC.EXE /T /F
  2⤵
  PID:1376
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM EMLPROXY.EXE /T /F
  2⤵
  - Kills process with taskkill
  PID:4088
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM OPSSVC.EXE /T /F
  2⤵
  PID:4948
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM ONLINENT.EXE /T /F
  2⤵
  - Kills process with taskkill
  PID:3108
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM QUHLPSVC.EXE /T /F
  2⤵
  PID:1616
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM SAPISSVC.EXE /T /F
  2⤵
  PID:3000
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM SCANNER.EXE /T /F
  2⤵
  - Kills process with taskkill
  PID:4784
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM SCANWSCS.EXE /T /F
  2⤵
  - Kills process with taskkill
  PID:3680
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM scproxysrv.exe /T /F
  2⤵
  PID:4916
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM ScSecSvc.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:1832
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM SUPERAntiSpyware.exe /T /F
  2⤵
  PID:4228
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM SASCore64.exe /T /F
  2⤵
  PID:4756
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM SSUpdate64.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:788
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM SUPERDelete.exe /T /F
  2⤵
  PID:1944
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM SASTask.exe /T /F
  2⤵
  PID:2200
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7RTScan.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:4708
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7FWSrvc.exe /T /F
  2⤵
  PID:4356
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7PSSrvc.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3972
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7EmlPxy.EXE /T /F
  2⤵
  PID:1052
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7TSecurity.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:4912
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7AVScan.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:952
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7CrvSvc.exe /T /F
  2⤵
  PID:4860
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7SysMon.Exe /T /F
  2⤵
  PID:2964
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7TSMain.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:3384
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM K7TSMngr.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:4380
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM uiWinMgr.exe /T /F
  2⤵
  PID:2192
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM uiWatchDog.exe /T /F
  2⤵
  PID:4076
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM uiSeAgnt.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:2884
- C:\Windows\SYSTEM32\taskkill.exe
  taskkill /IM PtWatchDog.exe /T /F
  2⤵
  - Kills process with taskkill
  PID:1576

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Event Triggered Execution

T1546

Image File Execution Options Injection

T1546.012

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp

Filesize
46B

MD5
d5d59f60c10690d5947f8dc17fcfdbf6

SHA1
bd1137800d107d2b1c9c392068cbe097a4ee2cdb

SHA256
b760828801a192ef78fa8a16fe759c324bd6647079ae5aa12197266c611a18b2

SHA512
5142f285bdcbe02cb392b945f5c7ebc8933c40d2f7f6cb7c2a4984729aa8453975ec830ae2801e909a0f31144d0f8f64265e99172eadfb2ae968ee425661e0a8

Download Submit
C:\Users\Admin\AppData\Local\Temp\BmgOKehYEU8838374366179021295.reg

Filesize
27KB

MD5
7f97f5f336944d427c03cc730c636b8f

SHA1
8a50c72b4580c20d4a7bfc7af8f12671bf6715ae

SHA256
9613caed306e9a267c62c56506985ef99ea2bee6e11afc185b8133dda37cbc57

SHA512
8f8b5dc16f087bdc73a134b76fd1063765e3c049baca4873d1b9eb30ba59f418395490cafc78a93b1cdcc20461e73c96de34475669715d6ddb93d0b56e6e6c54

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive6482478570901060948.vbs

Filesize
276B

MD5
3bdfd33017806b85949b6faa7d4b98e4

SHA1
f92844fee69ef98db6e68931adfaa9a0a0f8ce66

SHA256
9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6

SHA512
ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429

Download Submit
C:\Users\Admin\AppData\Local\Temp\Retrive9104637138650907932.vbs

Filesize
281B

MD5
a32c109297ed1ca155598cd295c26611

SHA1
dc4a1fdbaad15ddd6fe22d3907c6b03727b71510

SHA256
45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7

SHA512
70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887

Download Submit
C:\Users\Admin\AppData\Local\Temp\_0.52656664691689062993344591949828707.class

Filesize
241KB

MD5
781fb531354d6f291f1ccab48da6d39f

SHA1
9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68

SHA256
97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9

SHA512
3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2718105630-359604950-2820636825-1000\83aa4cc77f591dfc2374580bbd95f6ba_32404286-a0b5-4a93-9620-6f13fd83251a

Filesize
45B

MD5
c8366ae350e7019aefc9d1e6e6a498c6

SHA1
5731d8a3e6568a5f2dfbbc87e3db9637df280b61

SHA256
11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238

SHA512
33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll

Filesize
558KB

MD5
bf78c15068d6671693dfcdfa5770d705

SHA1
4418c03c3161706a4349dfe3f97278e7a5d8962a

SHA256
a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb

SHA512
5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll

Filesize
95KB

MD5
7415c1cc63a0c46983e2a32581daefee

SHA1
5f8534d79c84ac45ad09b5a702c8c5c288eae240

SHA256
475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1

SHA512
3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll

Filesize
36KB

MD5
fcda37abd3d9e9d8170cd1cd15bf9d3f

SHA1
b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2

SHA256
0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6

SHA512
de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties

Filesize
3KB

MD5
880baacb176553deab39edbe4b74380d

SHA1
37a57aad121c14c25e149206179728fa62203bf0

SHA256
ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620

SHA512
3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5

Download Submit
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif

Filesize
153B

MD5
1e9d8f133a442da6b0c74d49bc84a341

SHA1
259edc45b4569427e8319895a444f4295d54348f

SHA256
1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b

SHA512
63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37

Download Submit
C:\Windows\System32\test.txt

Filesize
452B

MD5
14cd65500a79256663ad931f479c6040

SHA1
a7369d5cf4fb8d1634acebd6bff84886ec9e8e82

SHA256
cb8fac03afcfa839d9655db39976442cd81f5e355f1d0b408a7cb95ad66c24ff

SHA512
ccc864d4feba0acee0f60a579de5662a8def5280fc1c8a92004c2946d98eefec69ea36c53177af1dab8f536360d68f634a1b23f216b992211bf763f1c1199e50

Download Submit
memory/2808-1078-0x000001E4AAEF0000-0x000001E4AAEF1000-memory.dmp

Filesize
4KB

Download
memory/2808-1237-0x000001E4AAEF0000-0x000001E4AAEF1000-memory.dmp

Filesize
4KB

Download
memory/2808-327-0x000001E4AAEF0000-0x000001E4AAEF1000-memory.dmp

Filesize
4KB

Download
memory/2808-319-0x000001E4AAEF0000-0x000001E4AAEF1000-memory.dmp

Filesize
4KB

Download
memory/3152-104-0x0000022400480000-0x0000022400490000-memory.dmp

Filesize
64KB

Download
memory/3152-118-0x00000224004C0000-0x00000224004D0000-memory.dmp

Filesize
64KB

Download
memory/3152-37-0x0000022400000000-0x0000022400270000-memory.dmp

Filesize
2.4MB

Download
memory/3152-31-0x00000224002E0000-0x00000224002F0000-memory.dmp

Filesize
64KB

Download
memory/3152-30-0x00000224002D0000-0x00000224002E0000-memory.dmp

Filesize
64KB

Download
memory/3152-43-0x0000022400340000-0x0000022400350000-memory.dmp

Filesize
64KB

Download
memory/3152-42-0x0000022400280000-0x0000022400290000-memory.dmp

Filesize
64KB

Download
memory/3152-40-0x0000022400270000-0x0000022400280000-memory.dmp

Filesize
64KB

Download
memory/3152-45-0x0000022400350000-0x0000022400360000-memory.dmp

Filesize
64KB

Download
memory/3152-46-0x0000022400290000-0x00000224002A0000-memory.dmp

Filesize
64KB

Download
memory/3152-47-0x0000022400360000-0x0000022400370000-memory.dmp

Filesize
64KB

Download
memory/3152-52-0x00000224002A0000-0x00000224002B0000-memory.dmp

Filesize
64KB

Download
memory/3152-53-0x0000022400370000-0x0000022400380000-memory.dmp

Filesize
64KB

Download
memory/3152-60-0x00000224002D0000-0x00000224002E0000-memory.dmp

Filesize
64KB

Download
memory/3152-65-0x00000224003A0000-0x00000224003B0000-memory.dmp

Filesize
64KB

Download
memory/3152-64-0x0000022400310000-0x0000022400320000-memory.dmp

Filesize
64KB

Download
memory/3152-63-0x0000022400300000-0x0000022400310000-memory.dmp

Filesize
64KB

Download
memory/3152-62-0x00000224002F0000-0x0000022400300000-memory.dmp

Filesize
64KB

Download
memory/3152-61-0x00000224002E0000-0x00000224002F0000-memory.dmp

Filesize
64KB

Download
memory/3152-59-0x0000022400390000-0x00000224003A0000-memory.dmp

Filesize
64KB

Download
memory/3152-58-0x00000224002C0000-0x00000224002D0000-memory.dmp

Filesize
64KB

Download
memory/3152-56-0x0000022400380000-0x0000022400390000-memory.dmp

Filesize
64KB

Download
memory/3152-54-0x00000224002B0000-0x00000224002C0000-memory.dmp

Filesize
64KB

Download
memory/3152-74-0x0000022400320000-0x0000022400330000-memory.dmp

Filesize
64KB

Download
memory/3152-73-0x00000224003E0000-0x00000224003F0000-memory.dmp

Filesize
64KB

Download
memory/3152-72-0x00000224003D0000-0x00000224003E0000-memory.dmp

Filesize
64KB

Download
memory/3152-71-0x00000224003C0000-0x00000224003D0000-memory.dmp

Filesize
64KB

Download
memory/3152-70-0x00000224003B0000-0x00000224003C0000-memory.dmp

Filesize
64KB

Download
memory/3152-77-0x00000224003F0000-0x0000022400400000-memory.dmp

Filesize
64KB

Download
memory/3152-76-0x0000022400330000-0x0000022400340000-memory.dmp

Filesize
64KB

Download
memory/3152-86-0x0000022400430000-0x0000022400440000-memory.dmp

Filesize
64KB

Download
memory/3152-87-0x0000022400350000-0x0000022400360000-memory.dmp

Filesize
64KB

Download
memory/3152-85-0x0000022400420000-0x0000022400430000-memory.dmp

Filesize
64KB

Download
memory/3152-83-0x0000022400400000-0x0000022400410000-memory.dmp

Filesize
64KB

Download
memory/3152-82-0x0000022400340000-0x0000022400350000-memory.dmp

Filesize
64KB

Download
memory/3152-84-0x0000022400410000-0x0000022400420000-memory.dmp

Filesize
64KB

Download
memory/3152-96-0x0000022400370000-0x0000022400380000-memory.dmp

Filesize
64KB

Download
memory/3152-95-0x0000022400460000-0x0000022400470000-memory.dmp

Filesize
64KB

Download
memory/3152-94-0x0000022400450000-0x0000022400460000-memory.dmp

Filesize
64KB

Download
memory/3152-99-0x0000022400470000-0x0000022400480000-memory.dmp

Filesize
64KB

Download
memory/3152-98-0x0000022400380000-0x0000022400390000-memory.dmp

Filesize
64KB

Download
memory/3152-93-0x0000022400440000-0x0000022400450000-memory.dmp

Filesize
64KB

Download
memory/3152-91-0x0000022400360000-0x0000022400370000-memory.dmp

Filesize
64KB

Download
memory/3152-103-0x0000022400390000-0x00000224003A0000-memory.dmp

Filesize
64KB

Download
memory/3152-32-0x00000224002F0000-0x0000022400300000-memory.dmp

Filesize
64KB

Download
memory/3152-107-0x0000022400490000-0x00000224004A0000-memory.dmp

Filesize
64KB

Download
memory/3152-106-0x00000224003A0000-0x00000224003B0000-memory.dmp

Filesize
64KB

Download
memory/3152-109-0x00000224003B0000-0x00000224003C0000-memory.dmp

Filesize
64KB

Download
memory/3152-111-0x00000224003D0000-0x00000224003E0000-memory.dmp

Filesize
64KB

Download
memory/3152-113-0x00000224004A0000-0x00000224004B0000-memory.dmp

Filesize
64KB

Download
memory/3152-112-0x00000224003E0000-0x00000224003F0000-memory.dmp

Filesize
64KB

Download
memory/3152-110-0x00000224003C0000-0x00000224003D0000-memory.dmp

Filesize
64KB

Download
memory/3152-115-0x00000224004B0000-0x00000224004C0000-memory.dmp

Filesize
64KB

Download
memory/3152-38-0x0000022400330000-0x0000022400340000-memory.dmp

Filesize
64KB

Download
memory/3152-117-0x00000224003F0000-0x0000022400400000-memory.dmp

Filesize
64KB

Download
memory/3152-124-0x00000224004D0000-0x00000224004E0000-memory.dmp

Filesize
64KB

Download
memory/3152-123-0x0000022400430000-0x0000022400440000-memory.dmp

Filesize
64KB

Download
memory/3152-122-0x0000022400420000-0x0000022400430000-memory.dmp

Filesize
64KB

Download
memory/3152-121-0x0000022400410000-0x0000022400420000-memory.dmp

Filesize
64KB

Download
memory/3152-120-0x0000022400400000-0x0000022400410000-memory.dmp

Filesize
64KB

Download
memory/3152-126-0x00000224004E0000-0x00000224004F0000-memory.dmp

Filesize
64KB

Download
memory/3152-128-0x0000022400440000-0x0000022400450000-memory.dmp

Filesize
64KB

Download
memory/3152-129-0x0000022400450000-0x0000022400460000-memory.dmp

Filesize
64KB

Download
memory/3152-130-0x0000022400460000-0x0000022400470000-memory.dmp

Filesize
64KB

Download
memory/3152-131-0x00000224004F0000-0x0000022400500000-memory.dmp

Filesize
64KB

Download
memory/3152-135-0x0000022400500000-0x0000022400510000-memory.dmp

Filesize
64KB

Download
memory/3152-138-0x0000022400470000-0x0000022400480000-memory.dmp

Filesize
64KB

Download
memory/3152-139-0x0000022400510000-0x0000022400520000-memory.dmp

Filesize
64KB

Download
memory/3152-141-0x0000022400520000-0x0000022400530000-memory.dmp

Filesize
64KB

Download
memory/3152-140-0x0000022400480000-0x0000022400490000-memory.dmp

Filesize
64KB

Download
memory/3152-143-0x0000022400490000-0x00000224004A0000-memory.dmp

Filesize
64KB

Download
memory/3152-144-0x0000022400530000-0x0000022400540000-memory.dmp

Filesize
64KB

Download
memory/3152-146-0x00000224004A0000-0x00000224004B0000-memory.dmp

Filesize
64KB

Download
memory/3152-147-0x0000022400540000-0x0000022400550000-memory.dmp

Filesize
64KB

Download
memory/3152-150-0x0000022400550000-0x0000022400560000-memory.dmp

Filesize
64KB

Download
memory/3152-149-0x00000224004B0000-0x00000224004C0000-memory.dmp

Filesize
64KB

Download
memory/3152-153-0x0000022400560000-0x0000022400570000-memory.dmp

Filesize
64KB

Download
memory/3152-152-0x00000224004C0000-0x00000224004D0000-memory.dmp

Filesize
64KB

Download
memory/3152-156-0x0000022400570000-0x0000022400580000-memory.dmp

Filesize
64KB

Download
memory/3152-155-0x00000224004D0000-0x00000224004E0000-memory.dmp

Filesize
64KB

Download
memory/3152-159-0x0000022400580000-0x0000022400590000-memory.dmp

Filesize
64KB

Download
memory/3152-158-0x00000224004E0000-0x00000224004F0000-memory.dmp

Filesize
64KB

Download
memory/3152-161-0x00000224004F0000-0x0000022400500000-memory.dmp

Filesize
64KB

Download
memory/3152-162-0x0000022400590000-0x00000224005A0000-memory.dmp

Filesize
64KB

Download
memory/3152-36-0x0000022400320000-0x0000022400330000-memory.dmp

Filesize
64KB

Download
memory/3152-33-0x0000022400300000-0x0000022400310000-memory.dmp

Filesize
64KB

Download
memory/3152-172-0x00000224005A0000-0x00000224005B0000-memory.dmp

Filesize
64KB

Download
memory/3152-171-0x0000022400500000-0x0000022400510000-memory.dmp

Filesize
64KB

Download
memory/3152-250-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-275-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-604-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-34-0x0000022400310000-0x0000022400320000-memory.dmp

Filesize
64KB

Download
memory/3152-23-0x00000224002C0000-0x00000224002D0000-memory.dmp

Filesize
64KB

Download
memory/3152-21-0x00000224002B0000-0x00000224002C0000-memory.dmp

Filesize
64KB

Download
memory/3152-19-0x00000224002A0000-0x00000224002B0000-memory.dmp

Filesize
64KB

Download
memory/3152-15-0x0000022400280000-0x0000022400290000-memory.dmp

Filesize
64KB

Download
memory/3152-17-0x0000022400290000-0x00000224002A0000-memory.dmp

Filesize
64KB

Download
memory/3152-13-0x0000022400270000-0x0000022400280000-memory.dmp

Filesize
64KB

Download
memory/3152-1210-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-11-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-1214-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-1218-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-1219-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-2-0x0000022400000000-0x0000022400270000-memory.dmp

Filesize
2.4MB

Download
memory/3152-1248-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-1260-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download
memory/3152-1261-0x0000022471400000-0x0000022471401000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads