Analysis Overview
SHA256
e4aceb65bb314136befc7c6f13fecf58ef110a001d6adbcc3b89a3cb323a6f0f
Threat Level: Known bad
The file 3e870fc6e63c5d95f35da8d12eed189103a3df2c5d2a8d0b558ad869de492fe4.zip was found to be: Known bad.
Malicious Activity Summary
Adwind family
AdWind
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
Executes dropped EXE
Loads dropped DLL
Adds Run key to start application
Drops file in System32 directory
Enumerates physical storage devices
Modifies registry key
Suspicious use of FindShellTrayWindow
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Runs .reg file with regedit
Modifies registry class
Kills process with taskkill
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-08 09:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-08 09:57
Reported
2024-11-08 09:59
Platform
win7-20241023-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
AdWind
Adwind family
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7AVScan.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSM32.EXE | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\trigger.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiESNAC.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twsscan.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CONSCTLX.EXE | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSHDLL64.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fsgk32.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldDS.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SUPERDelete.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBPIMSvc.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavWebClient.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ClamWin.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econser.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDScan.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7RTScan.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cavwp.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASTask.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMSvc.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilUp.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nvcod.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\tshark.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff_x64.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanosvc.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldCCC.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldRTM.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAMain.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAService.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIEWTCP.EXE | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CertReg.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FilMsg.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LittleHook.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiTray.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7PSSrvc.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Proxy.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAService.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nanoav.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zlh.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SAPISSVC.EXE | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\WebCompanion.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Medic.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dragon_updater.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BavUpdater.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSecurity.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSecurity.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASTask.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe | C:\Windows\regedit.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000\Software\Microsoft\Windows\CurrentVersion\Run\XOsqeoTBnpF = "\"C:\\Program Files\\Java\\jre7\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\YzQqKjGoxHz\\LyOCtxhwRyz.yrDUql\"" | C:\Windows\system32\reg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\test.txt | C:\Windows\system32\java.exe | N/A |
| File opened for modification | C:\Windows\System32\test.txt | C:\Program Files\Java\jre7\bin\java.exe | N/A |
| File opened for modification | C:\Windows\System32\test.txt | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
| File opened for modification | C:\Windows\System32\test.txt | C:\Program Files\Java\jre7\bin\java.exe | N/A |
Enumerates physical storage devices
Kills process with taskkill
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file\shell\open | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file\shell\open\command | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\.MF | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file\shell | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file\shell\edit\command | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file\shell\edit | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings | C:\Windows\system32\rundll32.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\MF_auto_file\ | C:\Windows\system32\rundll32.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_CLASSES\.MF\ = "MF_auto_file" | C:\Windows\system32\rundll32.exe | N/A |
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskkill.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\java.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\java.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\javaw.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre7\bin\java.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\system32\attrib.exe | N/A |
Processes
C:\Windows\system32\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\3e870fc6e63c5d95f35da8d12eed189103a3df2c5d2a8d0b558ad869de492fe4.jar
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.6433249680996083968615996195912038.class
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6903421082570798991.vbs
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4670083935543313049.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4670083935543313049.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6903421082570798991.vbs
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6396042414935832799.vbs
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4673117272422881890.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive6396042414935832799.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4673117272422881890.vbs
C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
C:\Windows\system32\xcopy.exe
xcopy "C:\Program Files\Java\jre7" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v XOsqeoTBnpF /t REG_EXPAND_SZ /d "\"C:\Program Files\Java\jre7\bin\javaw.exe\" -jar \"C:\Users\Admin\YzQqKjGoxHz\LyOCtxhwRyz.yrDUql\"" /f
C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\YzQqKjGoxHz\*.*"
C:\Windows\system32\attrib.exe
attrib +h "C:\Users\Admin\YzQqKjGoxHz"
C:\Program Files\Java\jre7\bin\javaw.exe
"C:\Program Files\Java\jre7\bin\javaw.exe" -jar C:\Users\Admin\YzQqKjGoxHz\LyOCtxhwRyz.yrDUql
C:\Program Files\Java\jre7\bin\java.exe
"C:\Program Files\Java\jre7\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.61030977888075276569412875832383465.class
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7796176724971091269.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7796176724971091269.vbs
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5590011033644002670.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive5590011033644002670.vbs
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4476884782244504095.vbs
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive4476884782244504095.vbs
C:\Windows\system32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3608254750401134005.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3608254750401134005.vbs
C:\Windows\system32\cmd.exe
cmd.exe
C:\Windows\system32\taskkill.exe
taskkill /IM procexp.exe /T /F
C:\Windows\system32\cmd.exe
cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\AxDJOUoPAw2188152387046136684.reg
C:\Windows\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\AxDJOUoPAw2188152387046136684.reg
C:\Windows\system32\taskkill.exe
taskkill /IM MSASCui.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM MsMpEng.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM MpUXSrv.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM MpCmdRun.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM NisSrv.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM ConfigSecurityPolicy.exe /T /F
C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
C:\Windows\system32\taskkill.exe
taskkill /IM procexp.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM wireshark.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM tshark.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM text2pcap.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM rawshark.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM mergecap.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM editcap.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM dumpcap.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM capinfos.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM mbam.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM mbamscheduler.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM mbamservice.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AdAwareService.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AdAwareTray.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM WebCompanion.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AdAwareDesktop.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM V3Main.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM V3Svc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM V3Up.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM V3SP.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM V3Proxy.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM V3Medic.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM BgScan.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM BullGuard.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM BullGuardBhvScanner.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM BullGuarScanner.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM LittleHook.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM BullGuardUpdate.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM clamscan.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM ClamTray.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM ClamWin.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM cis.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM CisTray.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM cmdagent.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM cavwp.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM dragon_updater.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM MWAGENT.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM MWASER.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM CONSCTLX.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM avpmapp.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM econceal.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM escanmon.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM escanpro.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM TRAYSSER.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM TRAYICOS.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM econser.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM VIEWTCP.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM FSHDLL64.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM fsgk32.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM fshoster32.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM FSMA32.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM fsorsp.exe /T /F
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\3e870fc6e63c5d95f35da8d12eed189103a3df2c5d2a8d0b558ad869de492fe4.jar"
C:\Windows\system32\taskkill.exe
taskkill /IM fssm32.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM FSM32.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM trigger.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM FProtTray.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM FPWin.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM FPAVServer.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AVK.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM GdBgInx64.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AVKProxy.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM GDScan.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AVKWCtlx64.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AVKService.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AVKTray.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM GDKBFltExe32.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM GDSC.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM virusutilities.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM guardxservice.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM guardxkickoff_x64.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM iptray.exe /T /F
C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\Desktop\META-INF\MANIFEST.MF
C:\Windows\system32\taskkill.exe
taskkill /IM freshclam.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM freshclamwrap.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7RTScan.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7FWSrvc.exe /T /F
C:\Windows\system32\NOTEPAD.EXE
"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\META-INF\MANIFEST.MF
C:\Windows\system32\taskkill.exe
taskkill /IM K7PSSrvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7EmlPxy.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7TSecurity.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7AVScan.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7CrvSvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7SysMon.Exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7TSMain.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7TSMngr.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nanosvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nanoav.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nnf.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nvcsvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nbrowser.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nseupdatesvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nfservice.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nwscmon.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM njeeves2.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nvcod.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nvoy.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM zlhh.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM Zlh.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM nprosec.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM Zanda.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM NS.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM acs.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM op_mon.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM PSANHost.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM PSUAMain.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM PSUAService.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM AgentSvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM BDSSVC.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM EMLPROXY.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM OPSSVC.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM ONLINENT.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM QUHLPSVC.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM SAPISSVC.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM SCANNER.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM SCANWSCS.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM scproxysrv.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM ScSecSvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM SUPERAntiSpyware.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM SASCore64.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM SSUpdate64.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM SUPERDelete.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM SASTask.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7RTScan.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7FWSrvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7PSSrvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7EmlPxy.EXE /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7TSecurity.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7AVScan.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7CrvSvc.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7SysMon.Exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7TSMain.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM K7TSMngr.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM uiWinMgr.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM uiWatchDog.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM uiSeAgnt.exe /T /F
C:\Windows\system32\taskkill.exe
taskkill /IM PtWatchDog.exe /T /F
Network
| Country | Destination | Domain | Proto |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp |
Files
memory/2648-2-0x0000000002600000-0x0000000002870000-memory.dmp
memory/2648-10-0x0000000000440000-0x0000000000441000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_0.6433249680996083968615996195912038.class
| MD5 | 781fb531354d6f291f1ccab48da6d39f |
| SHA1 | 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68 |
| SHA256 | 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 |
| SHA512 | 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8 |
memory/2852-21-0x0000000002620000-0x0000000002890000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-1163522206-1469769407-485553996-1000\83aa4cc77f591dfc2374580bbd95f6ba_9d81b961-0275-4281-8321-63119951606b
| MD5 | c8366ae350e7019aefc9d1e6e6a498c6 |
| SHA1 | 5731d8a3e6568a5f2dfbbc87e3db9637df280b61 |
| SHA256 | 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238 |
| SHA512 | 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd |
memory/2852-33-0x0000000000150000-0x0000000000151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\m17310598318186416141364722192680.tmp
| MD5 | d7b748b5346a8b6205a14d844ea6d772 |
| SHA1 | bd510094dfec91e4df081d0e71137585b6987d58 |
| SHA256 | efa63e073a926298e0e3b40ce400c23ef3625b346ee6116ad7e0da2b723d049b |
| SHA512 | 8a9efedef8be4ac5c53e85798b1be0ce9944ee3956901d36a6ef94d63bb30a994a420c5473dfbb0db5c22fb7871d2c687b0a957d1f0d2e3633f0ec48f23afc33 |
C:\Users\Admin\AppData\Local\Temp\Retrive6903421082570798991.vbs
| MD5 | 3bdfd33017806b85949b6faa7d4b98e4 |
| SHA1 | f92844fee69ef98db6e68931adfaa9a0a0f8ce66 |
| SHA256 | 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6 |
| SHA512 | ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429 |
C:\Users\Admin\AppData\Local\Temp\Retrive4673117272422881890.vbs
| MD5 | a32c109297ed1ca155598cd295c26611 |
| SHA1 | dc4a1fdbaad15ddd6fe22d3907c6b03727b71510 |
| SHA256 | 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7 |
| SHA512 | 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
| MD5 | df3ca8d16bded6a54977b30e66864d33 |
| SHA1 | b7b9349b33230c5b80886f5c1f0a42848661c883 |
| SHA256 | 1d1a1ae540ba132f998d60d3622f0297b6e86ae399332c3b47462d7c0f560a36 |
| SHA512 | 951b2f67c2f2ef1cfcd4b43bd3ee0e486cdba7d04b4ea7259df0e4b3112e360aefb8dcd058becccacd99aca7f56d4f9bd211075bd16b28c2661d562e50b423f0 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties
| MD5 | 0547e7c8dade7157d58f6bf5e74bcce7 |
| SHA1 | f1ef0a100276e7d3adf38b9fbb802d12f4bb8d9f |
| SHA256 | 6953ed5729acafb594c9e81b970f946848453abc6033d4b5519870b58c72abac |
| SHA512 | b213982a0935465b8d468822912169457b60a55382eba7ee39c62be953512a2d524aa6d01953d05dab981b72c417e62bcdff661bac99534e54778f906ad44d6b |
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\MET
| MD5 | df1d6d7601b75822e9cf454c03c583b6 |
| SHA1 | 966737a61ec5f9bcac90154389f5249ca6c0e1e2 |
| SHA256 | f3936669b75c67d577d93655b07629b30371aefd32845f69d7cef09b27409d8c |
| SHA512 | 50f1943794f84faa26ec8aa1175d98dac365ad3a48eda7b1899e57f1e7fe88365d595403131df926c0471900bf1dcf43f534c57bfb2fb33fe5a81870f4e103ba |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT
| MD5 | 7da9aa0de33b521b3399a4ffd4078bdb |
| SHA1 | f188a712f77103d544d4acf91d13dbc664c67034 |
| SHA256 | 0a526439ed04845ce94f7e9ae55c689ad01e1493f3b30c5c2b434a31fa33a43d |
| SHA512 | 9d2170571a58aed23f29fc465c2b14db3511e88907e017c010d452ecdf7a77299020d71f8b621a86e94dd2774a5418612d381e39335f92e287a4f451ee90cfb6 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+10
| MD5 | 715dc3fcec7a4b845347b628caf46c84 |
| SHA1 | 1b194cdd0a0dc5560680c33f19fc2e7c09523cd1 |
| SHA256 | 3144bc5353ebbd941cdccbbd9f5fb5a06f38abf5cc7b672111705c9778412d08 |
| SHA512 | 72ab4b4ad0990cce0723a882652bf4f37aac09b32a8dd33b56b1fbf25ac56ae054328909efd68c8243e54e449d845fb9d53dd95f47eaaf5873762fcd55a39662 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+2
| MD5 | e256eccde666f27e69199b07497437b2 |
| SHA1 | b2912c99ee4dff27ab1e3e897a31fc8f0cfcf5d7 |
| SHA256 | 9e971632a3e9860a15af04efec3a9d5af9e7220cd4a731c3d9262d00670496a5 |
| SHA512 | 460a225678c59a0259edef0c2868a45140ce139a394a00f07245cc1c542b4a74ff6fe36248f2fccc91a30d0a1d59d4ebcc497d6d3c31afad39934463f0496ee4 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+7
| MD5 | 11f8e73ad57571383afa5eaf6bc0456a |
| SHA1 | 65a736dddd8e9a3f1dd6fbe999b188910b5f7931 |
| SHA256 | 0e6a7f1ab731ae6840eacc36b37cbe3277a991720a7c779e116ab488e0eeed4e |
| SHA512 | 578665a0897a2c05eda59fb6828f4a9f440fc784059a5f97c8484f164a5fcec95274159c6ff6336f4863b942129cb884110d14c9bd507a2d12d83a4e17f596d2 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Etc\GMT+5
| MD5 | a2abe32f03e019dbd5c21e71cc0f0db9 |
| SHA1 | 25b042eb931fff4e815adcc2ddce3636debf0ae1 |
| SHA256 | 27ba8b5814833b1e8e8b5d08246b383cb8a5fb7e74e237cdbcadf320e882ab78 |
| SHA512 | 197c065b9c17c6849a15f45ac69dafa68aaa0b792219fedb153d146f23997bfa4fbc4127b1d030a92a4d7103bded76a1389df715b9539ea23ea21e6a4bb65fb2 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Indian\Christmas
| MD5 | 02bc5aaee85e8b96af646d479bb3307c |
| SHA1 | 1bf41be125fe8058d5999555add1ea2a83505e72 |
| SHA256 | e8d8d94f0a94768716701faa977a4d0d6ef93603de925078822f5c7a89cc8fca |
| SHA512 | e01d82ac33729e7ee14516f5d9ff753559f73143c7aa8a25ed4cc65b59dc364b1a020bc28427f8ec43fec8ef139cf30b09e492d77f15d7b09ae83240cdf8bc14 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\Pacific\Port_Moresby
| MD5 | ab2fd12cd39fd03d4a2aef0378c5265c |
| SHA1 | 4a75ef59534203a4f19ea1e675b442c003d5b2f4 |
| SHA256 | df69a28476e88043eba1f893859d5ebf8a8d5f4f5a3696e0e0d3aa0fe6701720 |
| SHA512 | a82567f84dd4300733cd233d1b8fd781e73eaf62f2f6d5e33a4129418d9b0dfc1001e1fa3deeed9a8129acd0ecc0e1153bfb154f93f26a4ca484c04e753808bf |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\AST4
| MD5 | 090c3805a378e5c6f9170de1f08505a0 |
| SHA1 | b462772078f0264c175f7c9998a8e39d6e4bcc64 |
| SHA256 | 4ddfc9ed251c2298e6fca3a0742de925442d9164ba230d28e869097d27b74415 |
| SHA512 | 67e57206bff887539568596789c8d77bbb843a97a8ea2ae373225ad4c4fd185b6e602d9b171232a2b8811f2911778b9152ba08daac355e7eeb2e1558b1555763 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\CST6
| MD5 | 37e9ac1310a963cd36e478a2b59160f8 |
| SHA1 | 1406eaa01d4eea3b26054871f7d738e4630500e9 |
| SHA256 | 04c9e4b0f69a155074b9ff26351265f78090c7ea2f23c5593b7130b4eb1e5e32 |
| SHA512 | 0ccc4e958bd34c2a28dca7b9fc3e9ca018ffc6c54d0f24e3db40e86f0bfc5a232228288cce38350bf8140b98c74658d2616e2ef15b2a085a590711cf975982e1 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\PST8
| MD5 | f49040ffcebf951b752c194a42ed775e |
| SHA1 | 4632642740c1db115843409f0bc32b9ca8d834d7 |
| SHA256 | 7422b2a82603f03d711b7ac7a9bebe5d1e4d9307cd283ce3d2714af46362f934 |
| SHA512 | f7be16b8418f2d57132ccd6b65f40296c80aa2d34634dee839eb2b50c45cb511db1135f8816956bfa90f4f0ca298909adf70787cd8c9e30c894e836f32ef5ed6 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\zi\SystemV\YST9
| MD5 | 4fae101fead3cd098a57d1715ca79a97 |
| SHA1 | f0a556f72dea44bd4065cb874398994005bc5237 |
| SHA256 | fbc6ae3bcdbdd8c91acc153bde0862d443afd70b211404879c36045442524b56 |
| SHA512 | c9d2e4c94b8b0e87b251cc22b8e96799268545e73a9ba3cde726ac0797d6c3288344615bcf30fbe8135e7ddb8d429958357b1ba03a7e953a2c7c8eac3c5dde8f |
C:\Windows\System32\test.txt
| MD5 | d41d8cd98f00b204e9800998ecf8427e |
| SHA1 | da39a3ee5e6b4b0d3255bfef95601890afd80709 |
| SHA256 | e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 |
| SHA512 | cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e |
memory/2852-1798-0x0000000000150000-0x0000000000151000-memory.dmp
C:\Users\Admin\YzQqKjGoxHz\ID.txt
| MD5 | ae6d52084af21f781436303af5e90f87 |
| SHA1 | 6c2f51f40474e89da9447329bfd7f9c37b3e5937 |
| SHA256 | 7a75d2c3e885fcad2212c3b2f7581598c07ef62088ac934c047dcd92ee37c641 |
| SHA512 | b41726a1b388b0a940b6ddc23e4565f840ffae5ee4369b26fa4a7159bbbdb2779e815ba96ee1475eaa0e174b3373997764244be31cf63a850642354d10585a30 |
memory/2648-1809-0x0000000000440000-0x0000000000441000-memory.dmp
memory/2648-1810-0x0000000002600000-0x0000000002870000-memory.dmp
memory/2852-1828-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2192-1836-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Windows\System32\test.txt
| MD5 | c8a25ac73f53e87860f38d4be3bf4400 |
| SHA1 | f6c296bb8af3f9cf9d0e60827743152dcb4025fd |
| SHA256 | 3c8f56451e150c2abab00a91c539f3c8c272f97df7e005556fe1f5b2cd895e87 |
| SHA512 | 9c7af40ef68010543ef70b007b7a5d11e362a869837a36e51c4af9d4dceac6c4533062c6c5d6614a3b080ce20975763e5637348ab0eb2fb77960aaae6389d6ce |
C:\Windows\System32\test.txt
| MD5 | 94eb3aa29c8000a0250c8c8b65ff6062 |
| SHA1 | 0ddff1695b2d7a3841dee8c61160e8e8227a0388 |
| SHA256 | 573b1e26a2d085cb09eeccfbd9e7134f613c90a169b98f0f118fd6403cf66e61 |
| SHA512 | e60bc784024da13950bb291f05925d1ff2201e00ae1696073c9ba1c07b0c894a39424291ca74675a95ee31be6b38ff587346cf1bb80aad1a3eeebce3860d1239 |
C:\Users\Admin\fUTkALeaTxM\ID.txt
| MD5 | 517926c91a070cedc956664a9cd61343 |
| SHA1 | 70235bec4afcf53894952c34665d5f8eeea35dec |
| SHA256 | 9c546fc5ef0195b57b98e79ac39f7f9fdb5b85c1b32f23877ecee6d03282f4ca |
| SHA512 | 1a3b75350596f24a38fa283d08de977d58e30fe9472e1edff227e03f9d8da202dffdd4ce0bcbc2546f9efc953119f712c1acf7a97689d0891536fe680bc929b4 |
memory/2192-1856-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2852-1865-0x0000000000150000-0x0000000000151000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\AxDJOUoPAw2188152387046136684.reg
| MD5 | df81a7fdcd0204fa97abdd3073ef324d |
| SHA1 | 37215c91b214c53947d599c2d6f6cd4baaf48418 |
| SHA256 | fbac890dd2127e767cf3d3de4a46eef2dc65e5a12b1d7ad0a1fb7a87582dce45 |
| SHA512 | 0a1657a265777a5feba78a1d9037be5fe5b081400826af31933eadf81c1ee3d4031f14ac5bf89f638804fac04bc9be240027b5980fa4236fede6156f148fd5f4 |
memory/2852-1869-0x0000000000150000-0x0000000000151000-memory.dmp
memory/2572-1871-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2192-1873-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2852-1886-0x0000000002620000-0x0000000002890000-memory.dmp
memory/2192-1891-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2192-1904-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2572-1906-0x0000000000230000-0x0000000000231000-memory.dmp
memory/2192-1910-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2192-1913-0x0000000000540000-0x0000000000541000-memory.dmp
memory/2192-1922-0x0000000000540000-0x0000000000541000-memory.dmp
C:\Users\Admin\Desktop\META-INF\MANIFEST.MF
| MD5 | 856dc76e591afb2bd7db34e67906fb6f |
| SHA1 | df744741678e18e997ed7a372e8f6150e7a096d4 |
| SHA256 | f8af358f2633bd53928b664b6ef6c55d309c14f9021854ca852a8ca4e427a070 |
| SHA512 | dfb08b4cb1c8ee69d191ba032b5d4944698c3c811c0d201f06c60039d6a1038f136f25bee6b54f00d9dcea60b5de8ea05842a99697cb075c4ff61973e0d5c1b2 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-08 09:57
Reported
2024-11-08 09:59
Platform
win10v2004-20241007-en
Max time kernel
150s
Max time network
149s
Command Line
Signatures
AdWind
Adwind family
Disables use of System Restore points
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSUAService.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\econceal.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKService.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\iptray.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7RTScan.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SASCore64.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldCCC.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmon.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSMA32.EXE | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\freshclam.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nseupdatesvc.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMTray.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiFW.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MWASER.EXE | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDSC.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\zlhh.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AgentSvc.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserReg.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxysrv.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiSeAgnt.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SDWelcome.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fmon.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient_Diagnostic_Tool.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\escanpro.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7FWSrvc.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nseupdatesvc.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Zanda.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\QUHLPSVC.EXE | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\dragon_updater.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDScan.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff_x64.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\utsvc.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fshoster32.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MCShieldRTM.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiESNAC.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\psview.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSvcHost.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twsscan.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYSSER.EXE | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FSHDLL64.exe | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3SP.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Medic.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxysrv.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWinMgr.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\VIPREUI.exe | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SBAMSvc.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\schmgr.exe\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TRAYICOS.EXE\debugger = "svchost.exe" | C:\Windows\regedit.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe | N/A |
Loads dropped DLL
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\XOsqeoTBnpF = "\"C:\\Users\\Admin\\AppData\\Roaming\\Oracle\\bin\\javaw.exe\" -jar \"C:\\Users\\Admin\\YzQqKjGoxHz\\LyOCtxhwRyz.yrDUql\"" | C:\Windows\SYSTEM32\reg.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\System32\test.txt | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| File opened for modification | C:\Windows\System32\test.txt | C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe | N/A |
| File opened for modification | C:\Windows\System32\test.txt | C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe | N/A |
Kills process with taskkill
Modifies registry key
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\reg.exe | N/A |
Runs .reg file with regedit
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\regedit.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SYSTEM32\taskkill.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe | N/A |
| N/A | N/A | C:\Program Files\Java\jre-1.8\bin\java.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SYSTEM32\attrib.exe | N/A |
Processes
C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe
java -jar C:\Users\Admin\AppData\Local\Temp\3e870fc6e63c5d95f35da8d12eed189103a3df2c5d2a8d0b558ad869de492fe4.jar
C:\Program Files\Java\jre-1.8\bin\java.exe
"C:\Program Files\Java\jre-1.8\bin\java.exe" -jar C:\Users\Admin\AppData\Local\Temp\_0.015652955481863746979441164851194721.class
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2396364576714706083.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive2396364576714706083.vbs
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8150298353504462356.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8150298353504462356.vbs
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8171410882644951689.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive8171410882644951689.vbs
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9100650302208534954.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive9100650302208534954.vbs
C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
C:\Windows\SYSTEM32\xcopy.exe
xcopy "C:\Program Files\Java\jre-1.8" "C:\Users\Admin\AppData\Roaming\Oracle\" /e
C:\Windows\SYSTEM32\cmd.exe
cmd.exe
C:\Windows\SYSTEM32\reg.exe
reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v XOsqeoTBnpF /t REG_EXPAND_SZ /d "\"C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\Admin\YzQqKjGoxHz\LyOCtxhwRyz.yrDUql\"" /f
C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\Users\Admin\YzQqKjGoxHz\*.*"
C:\Windows\SYSTEM32\attrib.exe
attrib +h "C:\Users\Admin\YzQqKjGoxHz"
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\Admin\YzQqKjGoxHz\LyOCtxhwRyz.yrDUql
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe -jar C:\Users\Admin\AppData\Local\Temp\_0.25943524112364767455345351514092004.class
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3272573388731011785.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive3272573388731011785.vbs
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7463940435350641692.vbs
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1528592470607422416.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive7463940435350641692.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive1528592470607422416.vbs
C:\Windows\SYSTEM32\cmd.exe
cmd.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /C cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive481822443855992504.vbs
C:\Windows\system32\cscript.exe
cscript.exe C:\Users\Admin\AppData\Local\Temp\Retrive481822443855992504.vbs
C:\Windows\SYSTEM32\cmd.exe
cmd.exe
C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c regedit.exe /s C:\Users\Admin\AppData\Local\Temp\UrLXdcUYqS2901231529601930366.reg
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM procexp.exe /T /F
C:\Windows\regedit.exe
regedit.exe /s C:\Users\Admin\AppData\Local\Temp\UrLXdcUYqS2901231529601930366.reg
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM MSASCui.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM MsMpEng.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM MpUXSrv.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM MpCmdRun.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM NisSrv.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM ConfigSecurityPolicy.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM procexp.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM wireshark.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM tshark.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM text2pcap.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM rawshark.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM mergecap.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM editcap.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM dumpcap.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM capinfos.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM mbam.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM mbamscheduler.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM mbamservice.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AdAwareService.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AdAwareTray.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM WebCompanion.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AdAwareDesktop.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM V3Main.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM V3Svc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM V3Up.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM V3SP.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM V3Proxy.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM V3Medic.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM BgScan.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM BullGuard.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM BullGuardBhvScanner.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM BullGuarScanner.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM LittleHook.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM BullGuardUpdate.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM clamscan.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM ClamTray.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM ClamWin.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM cis.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM CisTray.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM cmdagent.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM cavwp.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM dragon_updater.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM MWAGENT.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM MWASER.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM CONSCTLX.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM avpmapp.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM econceal.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM escanmon.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM escanpro.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM TRAYSSER.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM TRAYICOS.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM econser.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM VIEWTCP.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM FSHDLL64.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM fsgk32.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM fshoster32.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM FSMA32.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM fsorsp.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM fssm32.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM FSM32.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM trigger.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM FProtTray.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM FPWin.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM FPAVServer.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AVK.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM GdBgInx64.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AVKProxy.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM GDScan.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AVKWCtlx64.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AVKService.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AVKTray.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM GDKBFltExe32.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM GDSC.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM virusutilities.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM guardxservice.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM guardxkickoff_x64.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM iptray.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM freshclam.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM freshclamwrap.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7RTScan.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7FWSrvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7PSSrvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7EmlPxy.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7TSecurity.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7AVScan.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7CrvSvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7SysMon.Exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7TSMain.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7TSMngr.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nanosvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nanoav.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nnf.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nvcsvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nbrowser.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nseupdatesvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nfservice.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nwscmon.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM njeeves2.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nvcod.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nvoy.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM zlhh.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM Zlh.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM nprosec.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM Zanda.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM NS.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM acs.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM op_mon.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM PSANHost.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM PSUAMain.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM PSUAService.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM AgentSvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM BDSSVC.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM EMLPROXY.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM OPSSVC.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM ONLINENT.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM QUHLPSVC.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM SAPISSVC.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM SCANNER.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM SCANWSCS.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM scproxysrv.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM ScSecSvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM SUPERAntiSpyware.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM SASCore64.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM SSUpdate64.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM SUPERDelete.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM SASTask.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7RTScan.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7FWSrvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7PSSrvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7EmlPxy.EXE /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7TSecurity.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7AVScan.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7CrvSvc.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7SysMon.Exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7TSMain.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM K7TSMngr.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM uiWinMgr.exe /T /F
C:\Windows\SYSTEM32\taskkill.exe
taskkill /IM uiWatchDog.exe /T /F
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.106.137.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 8.8.8.8:53 | 53.210.109.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| N/A | 127.0.0.1:7777 | tcp | |
| US | 154.16.220.106:20901 | tcp | |
| N/A | 127.0.0.1:7777 | tcp |
Files
memory/1124-2-0x0000018E84AE0000-0x0000018E84D50000-memory.dmp
memory/1124-17-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\_0.015652955481863746979441164851194721.class
| MD5 | 781fb531354d6f291f1ccab48da6d39f |
| SHA1 | 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68 |
| SHA256 | 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 |
| SHA512 | 3e6630f5feb4a3eb1dac7e9125ce14b1a2a45d7415cf44cea42bc51b2a9aa37169ee4a4c36c888c8f2696e7d6e298e2ad7b2f4c22868aaa5948210eb7db220d8 |
memory/3524-21-0x0000017E1B270000-0x0000017E1B4E0000-memory.dmp
memory/1124-24-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
C:\ProgramData\Oracle\Java\.oracle_jre_usage\3903daac9bc4a3b7.timestamp
| MD5 | 7c905916dabfb51ebe0793ed24d4f6f0 |
| SHA1 | 2569fb3e324a2ca917e863bfd25ee8fdf40715d8 |
| SHA256 | 12d410511da0a59fe26abbde579da6e01774c7a491e6f685799f32aa9ad3d716 |
| SHA512 | 0334f8a35eeb7047d7cb58b8872ac84831a586888d0bee71e83e08c7bcbe4db366ebf8500966011ff26e42d1cd1db29dfd4be552a32fa17511335a3710f74a98 |
memory/1124-35-0x0000018E84D60000-0x0000018E84D70000-memory.dmp
memory/1124-34-0x0000018E84D50000-0x0000018E84D60000-memory.dmp
memory/1124-41-0x0000018E84D90000-0x0000018E84DA0000-memory.dmp
memory/1124-40-0x0000018E84D80000-0x0000018E84D90000-memory.dmp
memory/1124-39-0x0000018E84D70000-0x0000018E84D80000-memory.dmp
memory/1124-46-0x0000018E84DB0000-0x0000018E84DC0000-memory.dmp
memory/1124-47-0x0000018E84DC0000-0x0000018E84DD0000-memory.dmp
memory/1124-45-0x0000018E84DA0000-0x0000018E84DB0000-memory.dmp
memory/3524-61-0x0000017E1B270000-0x0000017E1B4E0000-memory.dmp
memory/3524-60-0x0000017E1B510000-0x0000017E1B520000-memory.dmp
memory/3524-59-0x0000017E1B500000-0x0000017E1B510000-memory.dmp
memory/1124-58-0x0000018E84DD0000-0x0000018E84DE0000-memory.dmp
memory/3524-57-0x0000017E1B4F0000-0x0000017E1B500000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-4089630652-1596403869-279772308-1000\83aa4cc77f591dfc2374580bbd95f6ba_dc5cddf5-9e4b-4c89-ba53-89649a7a5ee7
| MD5 | c8366ae350e7019aefc9d1e6e6a498c6 |
| SHA1 | 5731d8a3e6568a5f2dfbbc87e3db9637df280b61 |
| SHA256 | 11e6aca8e682c046c83b721eeb5c72c5ef03cb5936c60df6f4993511ddc61238 |
| SHA512 | 33c980d5a638bfc791de291ebf4b6d263b384247ab27f261a54025108f2f85374b579a026e545f81395736dd40fa4696f2163ca17640dd47f1c42bc9971b18cd |
memory/1124-55-0x0000018E84AE0000-0x0000018E84D50000-memory.dmp
memory/3524-51-0x0000017E1B4E0000-0x0000017E1B4F0000-memory.dmp
memory/3524-69-0x0000017E1B520000-0x0000017E1B530000-memory.dmp
memory/3524-76-0x0000017E1B540000-0x0000017E1B550000-memory.dmp
memory/3524-75-0x0000017E1B530000-0x0000017E1B540000-memory.dmp
memory/1124-74-0x0000018E84D90000-0x0000018E84DA0000-memory.dmp
memory/1124-73-0x0000018E84D80000-0x0000018E84D90000-memory.dmp
memory/1124-72-0x0000018E84D70000-0x0000018E84D80000-memory.dmp
memory/1124-68-0x0000018E84DF0000-0x0000018E84E00000-memory.dmp
memory/1124-67-0x0000018E84DE0000-0x0000018E84DF0000-memory.dmp
memory/1124-66-0x0000018E84D60000-0x0000018E84D70000-memory.dmp
memory/1124-65-0x0000018E84D50000-0x0000018E84D60000-memory.dmp
memory/1124-82-0x0000018E84DB0000-0x0000018E84DC0000-memory.dmp
memory/3524-85-0x0000017E1B550000-0x0000017E1B560000-memory.dmp
memory/1124-84-0x0000018E84E00000-0x0000018E84E10000-memory.dmp
memory/3524-86-0x0000017E199C0000-0x0000017E199C1000-memory.dmp
memory/1124-81-0x0000018E84DA0000-0x0000018E84DB0000-memory.dmp
memory/3524-89-0x0000017E1B560000-0x0000017E1B570000-memory.dmp
memory/1124-88-0x0000018E84DC0000-0x0000018E84DD0000-memory.dmp
memory/3524-107-0x0000017E199C0000-0x0000017E199C1000-memory.dmp
memory/1124-106-0x0000018E84E20000-0x0000018E84E30000-memory.dmp
memory/3524-105-0x0000017E1B500000-0x0000017E1B510000-memory.dmp
memory/1124-104-0x0000018E84DD0000-0x0000018E84DE0000-memory.dmp
memory/3524-103-0x0000017E1B4F0000-0x0000017E1B500000-memory.dmp
memory/1124-102-0x0000018E84E10000-0x0000018E84E20000-memory.dmp
memory/3524-113-0x0000017E1B510000-0x0000017E1B520000-memory.dmp
memory/3524-120-0x0000017E1B520000-0x0000017E1B530000-memory.dmp
memory/1124-119-0x0000018E84DF0000-0x0000018E84E00000-memory.dmp
memory/1124-118-0x0000018E84DE0000-0x0000018E84DF0000-memory.dmp
memory/1124-117-0x0000018E84E50000-0x0000018E84E60000-memory.dmp
memory/3524-116-0x0000017E1B580000-0x0000017E1B590000-memory.dmp
memory/1124-115-0x0000018E84E40000-0x0000018E84E50000-memory.dmp
memory/1124-114-0x0000018E84E30000-0x0000018E84E40000-memory.dmp
memory/3524-101-0x0000017E1B570000-0x0000017E1B580000-memory.dmp
memory/3524-100-0x0000017E1B4E0000-0x0000017E1B4F0000-memory.dmp
memory/3524-125-0x0000017E1B590000-0x0000017E1B5A0000-memory.dmp
memory/3524-128-0x0000017E1B5A0000-0x0000017E1B5B0000-memory.dmp
memory/3524-127-0x0000017E1B540000-0x0000017E1B550000-memory.dmp
memory/3524-130-0x0000017E1B5B0000-0x0000017E1B5C0000-memory.dmp
memory/3524-126-0x0000017E1B530000-0x0000017E1B540000-memory.dmp
memory/1124-133-0x0000018E84E00000-0x0000018E84E10000-memory.dmp
memory/3524-136-0x0000017E1B550000-0x0000017E1B560000-memory.dmp
memory/3524-135-0x0000017E1B5D0000-0x0000017E1B5E0000-memory.dmp
memory/3524-134-0x0000017E1B5C0000-0x0000017E1B5D0000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Retrive2396364576714706083.vbs
| MD5 | 3bdfd33017806b85949b6faa7d4b98e4 |
| SHA1 | f92844fee69ef98db6e68931adfaa9a0a0f8ce66 |
| SHA256 | 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6 |
| SHA512 | ae5e5686ae71edef53e71cd842cb6799e4383b9c238a5c361b81647efa128d2fedf3bf464997771b5b0c47a058fecae7829aeedcd098c80a11008581e5781429 |
C:\Users\Admin\AppData\Local\Temp\Retrive8171410882644951689.vbs
| MD5 | a32c109297ed1ca155598cd295c26611 |
| SHA1 | dc4a1fdbaad15ddd6fe22d3907c6b03727b71510 |
| SHA256 | 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7 |
| SHA512 | 70372552dc86fe02ece9fe3b7721463f80be07a34126b2c75b41e30078cda9e90744c7d644df623f63d4fb985482e345b3351c4d3da873162152c67fc6ecc887 |
memory/1124-397-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
memory/3524-500-0x0000017E199C0000-0x0000017E199C1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll
| MD5 | bf78c15068d6671693dfcdfa5770d705 |
| SHA1 | 4418c03c3161706a4349dfe3f97278e7a5d8962a |
| SHA256 | a88b8c1c8f27bf90fe960e0e8bd56984ad48167071af92d96ec1051f89f827fb |
| SHA512 | 5b6b0ab4e82cc979eaa619d387c6995198fd19aa0c455bef44bd37a765685575d57448b3b4accd70d3bd20a6cd408b1f518eda0f6dae5aa106f225bee8291372 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140_1.dll
| MD5 | fcda37abd3d9e9d8170cd1cd15bf9d3f |
| SHA1 | b23ff3e9aa2287b9c1249a008c0ae06dc8b6fdf2 |
| SHA256 | 0579d460ea1f7e8a815fa55a8821a5ff489c8097f051765e9beaf25d8d0f27d6 |
| SHA512 | de8be61499aaa1504dde8c19666844550c2ea7ef774ecbe26900834b252887da31d4cf4fb51338b16b6a4416de733e519ebf8c375eb03eb425232a6349da2257 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll
| MD5 | 7415c1cc63a0c46983e2a32581daefee |
| SHA1 | 5f8534d79c84ac45ad09b5a702c8c5c288eae240 |
| SHA256 | 475ab98b7722e965bd38c8fa6ed23502309582ccf294ff1061cb290c7988f0d1 |
| SHA512 | 3d4b24061f72c0e957c7b04a0c4098c94c8f1afb4a7e159850b9939c7210d73398be6f27b5ab85073b4e8c999816e7804fef0f6115c39cd061f4aaeb4dcda8cf |
memory/3524-703-0x0000017E1B570000-0x0000017E1B580000-memory.dmp
memory/3524-702-0x0000017E1B560000-0x0000017E1B570000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties
| MD5 | 880baacb176553deab39edbe4b74380d |
| SHA1 | 37a57aad121c14c25e149206179728fa62203bf0 |
| SHA256 | ff4a3a92bc92cb08d2c32c435810440fd264edd63e56efa39430e0240c835620 |
| SHA512 | 3039315bb283198af9090bd3d31cfae68ee73bc2b118bbae0b32812d4e3fd0f11ce962068d4a17b065dab9a66ef651b9cb8404c0a2defce74bb6b2d1d93646d5 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
| MD5 | 1e9d8f133a442da6b0c74d49bc84a341 |
| SHA1 | 259edc45b4569427e8319895a444f4295d54348f |
| SHA256 | 1a1d3079d49583837662b84e11d8c0870698511d9110e710eb8e7eb20df7ae3b |
| SHA512 | 63d6f70c8cab9735f0f857f5bf99e319f6ae98238dc7829dd706b7d6855c70be206e32e3e55df884402483cf8bebad00d139283af5c0b85dc1c5bf8f253acd37 |
memory/1124-1006-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\m17310598317653857273158407131494.tmp
| MD5 | d7b748b5346a8b6205a14d844ea6d772 |
| SHA1 | bd510094dfec91e4df081d0e71137585b6987d58 |
| SHA256 | efa63e073a926298e0e3b40ce400c23ef3625b346ee6116ad7e0da2b723d049b |
| SHA512 | 8a9efedef8be4ac5c53e85798b1be0ce9944ee3956901d36a6ef94d63bb30a994a420c5473dfbb0db5c22fb7871d2c687b0a957d1f0d2e3633f0ec48f23afc33 |
memory/1124-1009-0x0000018E84E10000-0x0000018E84E20000-memory.dmp
memory/1124-1013-0x0000018E84E20000-0x0000018E84E30000-memory.dmp
memory/1124-1032-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\bin\verify.dll
| MD5 | 82bb3a2292372acbf8bb25e30a3e169c |
| SHA1 | c09c134561213cd67c670f60a2c52cf947e51a74 |
| SHA256 | 9c99e6591c73eda0dfd6bb9a55d0a175cf5bdb583115477cedc627fd793c3deb |
| SHA512 | db4802fe0e3a6dc1678765af559e9c1f6e8639dd5c7c8f18f08296b1b4d15cfe748e391459253a3dde0ca2bda74c6772af262e5b194c78c6bdefbcc2c5377db7 |
memory/1124-1040-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\lib\meta-index
| MD5 | 91aa6ea7320140f30379f758d626e59d |
| SHA1 | 3be2febe28723b1033ccdaa110eaf59bbd6d1f96 |
| SHA256 | 4af21954cdf398d1eae795b6886ca2581dac9f2f1d41c98c6ed9b5dbc3e3c1d4 |
| SHA512 | 03428803f1d644d89eb4c0dcbdea93acaac366d35fc1356ccabf83473f4fef7924edb771e44c721103cec22d94a179f092d1bfd1c0a62130f076eb82a826d7cb |
C:\Users\Admin\AppData\Roaming\Oracle\lib\jfr.jar
| MD5 | 530b1ee313390d5d51ae8f5aa0be9070 |
| SHA1 | d5de5ee8bd7275b5b20f466ba0869251679b24b3 |
| SHA256 | bded3bbadd255c856ed7fb9900cbf0445e980a669a3aa043cf095e18539eb48f |
| SHA512 | 50671ca7de240c38921849304ae482a52ae481d0ff5a2f02aef90c20b9f49842bf2ea32b9caabde57a955b8d638a017b6b3cdd662b679a2d743e029f97b88937 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\charsets.jar
| MD5 | bfdb22624544f02100cd37cff954f64c |
| SHA1 | f699b290845f487cb7050d41a83b85446ea202b1 |
| SHA256 | 04a6bc7af4d41fda5ca6c7584df50c5d0881fada89b4788e8ee4e5919345f143 |
| SHA512 | 70c5f501c5e1cc67341bb3f4d190179a79fb8bee7292ff8cca0749368ae4475387ce121e8d33adc7e4e6fad5a10eab378fff17e3da0422d4cca0837c95574b95 |
memory/1124-1065-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
memory/1124-1084-0x0000018E84E50000-0x0000018E84E60000-memory.dmp
C:\Users\Admin\YzQqKjGoxHz\ID.txt
| MD5 | 1150351400d7ee985fd0335987c77bd6 |
| SHA1 | bd0cfc16d55ebe7fdb80c72e8122c1f574f918ca |
| SHA256 | b5db6bcf5378676b17c0011eccb4ed69cfada073bd57e87d0202e78255b12f0c |
| SHA512 | 77ff90f5e7895c10406f468b4c6d2a437844ab5feec01c9b8ffb749f4b4d7a41ced4ff494d528bd6426ea8ee3b4dd9749a37c4e1b9ab3c160bbf9414b50db6f6 |
memory/1124-1083-0x0000018E84E40000-0x0000018E84E50000-memory.dmp
memory/1124-1082-0x0000018E84E30000-0x0000018E84E40000-memory.dmp
memory/1124-1081-0x0000018E84E10000-0x0000018E84E20000-memory.dmp
memory/1124-1080-0x0000018E84E20000-0x0000018E84E30000-memory.dmp
memory/1124-1079-0x0000018E84E00000-0x0000018E84E10000-memory.dmp
memory/1124-1078-0x0000018E84DF0000-0x0000018E84E00000-memory.dmp
memory/1124-1077-0x0000018E84DE0000-0x0000018E84DF0000-memory.dmp
memory/1124-1076-0x0000018E84AE0000-0x0000018E84D50000-memory.dmp
memory/1124-1075-0x0000018E84DD0000-0x0000018E84DE0000-memory.dmp
memory/1124-1074-0x0000018E84DC0000-0x0000018E84DD0000-memory.dmp
memory/1124-1073-0x0000018E84DB0000-0x0000018E84DC0000-memory.dmp
memory/1124-1072-0x0000018E84DA0000-0x0000018E84DB0000-memory.dmp
memory/1124-1071-0x0000018E84D90000-0x0000018E84DA0000-memory.dmp
memory/1124-1070-0x0000018E84D80000-0x0000018E84D90000-memory.dmp
memory/1124-1069-0x0000018E84D70000-0x0000018E84D80000-memory.dmp
memory/1124-1068-0x0000018E84D60000-0x0000018E84D70000-memory.dmp
memory/1124-1067-0x0000018E84D50000-0x0000018E84D60000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\meta-index
| MD5 | 005faac2118450bfcd46ae414da5f0e5 |
| SHA1 | 9f5c887e0505e1bb06bd1fc7975a3219709d061d |
| SHA256 | f0bce718f8d2b38247ce0ac814a1470c826602f4251d86369c2359ff60676bd8 |
| SHA512 | 8b618c74b359ab3c9d3c8a4864f8e48fe4054514a396352a829a84c9b843a2028c6c31eb53e857e03c803294e05f69c5bf586e261312264e7607b2efd14f78a9 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\jce.jar
| MD5 | e0b7e0f36b9fc43d13403145db82e758 |
| SHA1 | def42078cfa315e98393c69963efb4e35e2e28a8 |
| SHA256 | 4362c179bb78107777d6a0557693e65eb2b318c26642162f89509dfdab8c97fe |
| SHA512 | 5074a7ceb9621096f3bbf419d32ac260ea6d9d09c758544c2761121026c2b9db0b6617806d3b692347b685d541123f4eda99dcbaa29d9c9a2d740b22c44bf7bb |
C:\Users\Admin\AppData\Roaming\Oracle\lib\jsse.jar
| MD5 | 01408480f5c65da8c74ecfde0eed1a72 |
| SHA1 | 2f1cb5df6d4879de8b0827d160e9bb281f829a3a |
| SHA256 | fffafe7e2bacef79280a4565b5d1075320a8ec38dff7978c8fe6c033b6df49d0 |
| SHA512 | ae585f4825073da19f611bb7d11a1d075b4998bc3f7d53a67cdba778e0729e0b5134ce8fc49897f67d39e46f1209524ab53ab4551defc6a4127012e332f15d61 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\resources.jar
| MD5 | c5152884c2676dd45109cfeba088a549 |
| SHA1 | 8fe4fd1980bdc4139491b0dd963eb830b70bb8d6 |
| SHA256 | 65a6d0d74b193af857dd5252d59e8bf9214ddb360b26c1da816b029bf0cf208c |
| SHA512 | ed8d4777609024960a7037f42937de41c434df4ff7062b43f03f0060e326bdef7917e941c9d3db5a8ec7a65f4890ef3dd53c87401f9568e6f068f2930d558e61 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\zip.dll
| MD5 | 0d56a7ff632826362768b3edd5e5174f |
| SHA1 | 8b96856f8fe3175039d1a7cf3ac0910467844a08 |
| SHA256 | 27cf17beab60d7f9a62aac7622eefa06eee78796db585f9ae5d3a5b5022d56a9 |
| SHA512 | b4fe51874b9ba7a2325ae3c0b96f32065f7cee7c846a9028495070f1f91cedd9445cb91248acd1ec134a72b2c07e49afcaef01b58af1dfb0ff417033c2d0e595 |
memory/1124-1039-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.dll
| MD5 | 4e6dfd5867f4cea96dad1d59a0ca43fe |
| SHA1 | 6a08abc0b5a2cab00eb6d7543c661aa6620890a1 |
| SHA256 | 179df744661b659d50fd6943834d81476287c2075448d2dc783fb32c69a00e54 |
| SHA512 | 2565197c75eca66600a530aa6b033d4985fcb05edf73e096ebba37f06016e6ae5c4fc516a182bf674ff18e3f3b031353c9ff187a6b8804058b5d2b47c914e60b |
memory/1124-1030-0x0000018E831E0000-0x0000018E831E1000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\bin\server\jvm.dll
| MD5 | dceeb4fb6af9bb2ea7a2eed1d921afb5 |
| SHA1 | af1463a499f7d6eed5efcb9c9515e82335e9c1b6 |
| SHA256 | 6707043f0b609a0b3677cd11f6526d8ecfcbeab079a394019d648c9039e7da21 |
| SHA512 | e4688d2264dda88e90beeb394adc48064012ed458ab9015ecef744a86ab76b4f65845f77a3d02b131aa5c342e6a572f79f471b5dc8df178b2d7483c04b1f4763 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\amd64\jvm.cfg
| MD5 | 499f2a4e0a25a41c1ff80df2d073e4fd |
| SHA1 | e2469cbe07e92d817637be4e889ebb74c3c46253 |
| SHA256 | 80847ed146dbc5a9f604b07ec887737fc266699abba266177b553149487ce9eb |
| SHA512 | 7828f7b06d0f4309b9edd3aa71ae0bb7ee92d2f8df5642c13437bba2a3888e457dc9b24c16aa9e0f19231530cb44b8ccd955cbbdf5956ce8622cc208796b357d |
C:\Users\Admin\AppData\Roaming\Oracle\bin\javaw.exe
| MD5 | 7fb44c5bca4226d8aab7398e836807a2 |
| SHA1 | 47128e4f8afabfde5037ed0fcaba8752c528ff52 |
| SHA256 | a64ead73c06470bc5c84cfc231b0723d70d29fec7d385a268be2c590dc5eb1ef |
| SHA512 | f0bd093f054c99bcc50df4005d0190bd7e3dcefea7008ae4c9b67a29e832e02ae9ff39fa75bc1352c127aeb13afdea9bfdcc238ac826ef17f288d6fbd2ec8cab |
memory/3524-1086-0x0000017E1B580000-0x0000017E1B590000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\java.security
| MD5 | 8f0e3440fffdbcaa9d26be4730492a66 |
| SHA1 | 20a3e5a8ecbec20d41d7124120d264f61de96613 |
| SHA256 | b5e8205764b83f46b50187b2021de7c86a890df908a8d6c17275a68924f832c6 |
| SHA512 | c04528769ce780e730ef71803ca8191c217f571f62703daca273499b90e93101383a3699263458c205cd7a8733399c3c2ca6afc85b6843c2c5e2ba0890e762cb |
memory/2492-1088-0x000001CB07C30000-0x000001CB07C31000-memory.dmp
C:\Users\Admin\AppData\Roaming\Oracle\bin\net.dll
| MD5 | 6c720917e5c8ce1202a4141e8c8cfaf7 |
| SHA1 | 1175d918134983d1d64a42047f4ff814054123de |
| SHA256 | 833cdbd7b221dda58ba728ee9a41cac1d6819d19bfc7336a4b86cc69a5af3695 |
| SHA512 | 217f824b389547993556c26069d58eb956e87029b5c58556c2d308e48a0db2a02a057b3147fcf6ac7606f2b97ada33e2372112e93944f645137d81cc0dd32a9d |
C:\Users\Admin\AppData\Roaming\Oracle\bin\nio.dll
| MD5 | d8a6b5e5a33cb71b61964be369526704 |
| SHA1 | 7788adf9163fb2ac2c85c43630c0998b0f13360a |
| SHA256 | 686021b000cd6d76b97c6f924c528293bc55dfb4ce936cfe70959eecd1665c90 |
| SHA512 | d15e5832d025a8fb17dd48b8c6d8246b93d54543ba52d40a9f97aff257847f7e05971ae927a77e12ab1625dc514a29115ce5fe9ddad18fe5fc4b0ddc2f8ca6d1 |
C:\Users\Admin\AppData\Roaming\Oracle\bin\java.exe
| MD5 | dafb5fbb0614c19eccdab9bef8f89c22 |
| SHA1 | 91ab91eb4a90f02c4950c3e5da80f3eb24bddb52 |
| SHA256 | af62c3850cd7a84db64bbaf68533e2769da619a8a4bccf0ac4836d2ec86e4b5e |
| SHA512 | 81cf8e04b595052e67db73454a67e2098e1df9353e2c3cc842b8ab2a9fa837b90a2101d5a097a6b0af0030869e788de1aa73ebb958f1428a3952ce0464db3e93 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunec.jar
| MD5 | 1227482c65dc231e3607b002950f5497 |
| SHA1 | 709ff3738d5da8db225818df2966f04c13cb7d02 |
| SHA256 | cfe84c5292f9ddef96fecf118377565bbaf769eee7ff4cca81652fe1134f9809 |
| SHA512 | 87c4f5fa1e6dad6f2fab8a0371380fa7be9f63b05f8ff6740a4208ec115f8db9c512de9e40b4b853be35effed2804d0774c0e9426571a129cb6bdecd527cdb8c |
C:\ProgramData\Oracle\Java\.oracle_jre_usage\50569f7db71fa7f8.timestamp
| MD5 | be5d0545d480d3b02cc6fea3e650c95b |
| SHA1 | c72b29f89990a840e4bbac872f9f5b2867bb3610 |
| SHA256 | 217505fa9902397ca3a35c2966699694e31a13c2147804b325848408689976bb |
| SHA512 | b91abc70ca42e33ad2514f6bd42a8008282a5611a8922fde4493ae79f7ca402951fd92ace2ded3fa5fecad386e1067f9e2a17f0d987785b2118c8dfaee563cda |
C:\Users\Admin\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar
| MD5 | 456031723ebc7270d9bc3747cdd6daa2 |
| SHA1 | a4a61bb10ac83f201854a11750aa86e7dc8da41b |
| SHA256 | 324499cedd3f19ea621a38f42834369d7da8bdf40fcb5a345007bfa2e5987780 |
| SHA512 | b425eabd590f905aa147720aa507a0da2b31199956f21137a722fe6c8de05549d1cddbb2fb2ea1cbe34e39ce9d0eabb0502dd2a9a09f72dd87cd002765537079 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\policy\unlimited\US_export_policy.jar
| MD5 | 6cbca5808b4a8613d2fed6fe4a84c449 |
| SHA1 | 0135b30ebec03fb69d79cdc3126e608d9effb8b2 |
| SHA256 | 761aab2969883e9e5ea76df63ca404fb67673efc3f97def057f8e22517fc9518 |
| SHA512 | 4d9bf052aa124d07673c601cbfb83223b87369f7be7575a13e13c0d893e57849ba11e430b7769901782c26471528dfaa130996916451e1a7e38cf28468e44cfa |
C:\Users\Admin\AppData\Roaming\Oracle\bin\sunec.dll
| MD5 | 2632b6d90868ff1ece67f76b86a23d79 |
| SHA1 | 90ddedde02a4cc37ae361caabc36a6a686c24bd1 |
| SHA256 | 86106645d9e3801911808d6343a7fead7b6e9d8b740bad63a4cd9851ff599283 |
| SHA512 | 61e0581c3dde45db74383b93e56396c65435714e746fe4f000c53465e8e6750bd787b5895a987bbdbe4badb5ad3570394c82476c2b4d65099f0b923002153b18 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\policy\unlimited\local_policy.jar
| MD5 | 360663f26c5584e6c6127254b261fa0c |
| SHA1 | aee6515eede2ad7c697ba8a61bdd9359be3319d2 |
| SHA256 | 02f69a433405ea928c89a8aade74e5462282ccb9a9d30851312ed3459398f85c |
| SHA512 | e3920d5abbbe6b0e3029ed1e0b2ce1a53da6c7e728f635b12f00b1fd2eb6151fff74b9dc85ec0c0920f7fda440c1604d24ca766cdbcb78be3425088d97e00208 |
C:\Users\Admin\AppData\Roaming\Oracle\lib\security\blacklisted.certs
| MD5 | 8273f70416f494f7fa5b6c70a101e00e |
| SHA1 | aeaebb14fbf146fbb0aaf347446c08766c86ca7f |
| SHA256 | 583500b76965eb54b03493372989ab4d3426f85462d1db232c5ae6706a4d6c58 |
| SHA512 | e697a57d64ace1f302300f83e875c2726407f8daf7c1d38b07ab8b4b11299fd698582d825bee817a1af85a285f27877a9e603e48e01c72e482a04dc7ab12c8da |
C:\Users\Admin\AppData\Roaming\Oracle\bin\awt.dll
| MD5 | 39a3de251306cbca47cf2fb10089ae9f |
| SHA1 | cc3f3d1bc3ad172c9646961b18fe1d7bf98b59a5 |
| SHA256 | 6d1c82cad959b7e4636d8fced4368f0f2c8da4ef609667396e8772ad8d63f736 |
| SHA512 | 351a02453659d04a2943abc1da2b9541f97982ed3f94d288679dfd8d962bfb4b0dcdef9b06d329bdad64e032b0372733ff7d1577c49952accf86b971aed86f7e |
C:\Users\Admin\AppData\Roaming\Oracle\lib\accessibility.properties
| MD5 | 2ed483df31645d3d00c625c00c1e5a14 |
| SHA1 | 27c9b302d2d47aae04fc1f4ef9127a2835a77853 |
| SHA256 | 68ef2f3c6d7636e39c6626ed1bd700e3a6b796c25a9e5feca4533abfacd61cdf |
| SHA512 | 4bf6d06f2ceaf070df4bd734370def74a6dd545fd40efd64a948e1422470ef39e37a4909feeb8f0731d5badb3dd9086e96dace6bdca7bbd3078e8383b16894da |
memory/1152-1156-0x000002A7AB1D0000-0x000002A7AB1D1000-memory.dmp
memory/1152-1166-0x000002A7AB1D0000-0x000002A7AB1D1000-memory.dmp
memory/2492-1181-0x000001CB07C30000-0x000001CB07C31000-memory.dmp
memory/3524-1186-0x0000017E1B590000-0x0000017E1B5A0000-memory.dmp
memory/1152-1187-0x000002A7AB1D0000-0x000002A7AB1D1000-memory.dmp
memory/2492-1188-0x000001CB07C30000-0x000001CB07C31000-memory.dmp
memory/3524-1189-0x0000017E1B5A0000-0x0000017E1B5B0000-memory.dmp
memory/2492-1194-0x000001CB07C30000-0x000001CB07C31000-memory.dmp
memory/2492-1198-0x000001CB07C30000-0x000001CB07C31000-memory.dmp
memory/3524-1201-0x0000017E1B5B0000-0x0000017E1B5C0000-memory.dmp
memory/1152-1202-0x000002A7AB1D0000-0x000002A7AB1D1000-memory.dmp
memory/3524-1204-0x0000017E1B5D0000-0x0000017E1B5E0000-memory.dmp
memory/3524-1203-0x0000017E1B5C0000-0x0000017E1B5D0000-memory.dmp
memory/1152-1207-0x000002A7AB1D0000-0x000002A7AB1D1000-memory.dmp
memory/1152-1210-0x000002A7AB1D0000-0x000002A7AB1D1000-memory.dmp
memory/1152-1211-0x000002A7AB1D0000-0x000002A7AB1D1000-memory.dmp
memory/1152-1214-0x000002A7AB1D0000-0x000002A7AB1D1000-memory.dmp
memory/2492-1223-0x000001CB07C30000-0x000001CB07C31000-memory.dmp
memory/2492-1224-0x000001CB07C30000-0x000001CB07C31000-memory.dmp
memory/2492-1226-0x000001CB07C30000-0x000001CB07C31000-memory.dmp