Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6403_us	Sept. 13, 2021, 5:55 p.m.	Sept. 13, 2021, 5:57 p.m.

Size	261.4KB
Type	Zip archive data, at least v2.0 to extract
MD5	`2a3426e77f270bf7d46e1f3599541271`
SHA256	`277af42a715037a16c0455c792cca68491c2888d9acb6ecb1ebd8f56a76c6100`
CRC32	`AACD47E0`
ssdeep	`6144:LOoQtE9ASAWpCi4gBn8WVIogpVfqZoFU/meUgnc3:CoQtE/AWj408WVIvLqCFU/md2Q`
Yara	None matched

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\Inv_INV410599.jar
2300
- cmd.exe cmd.exe /C cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive7608619414195445135.vbs
  2612
  - cscript.exe cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive7608619414195445135.vbs
    2104
- cmd.exe cmd.exe /C cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6871426135152969709.vbs
  2688
  - cscript.exe cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6871426135152969709.vbs
    2820
- xcopy.exe xcopy "C:\Program Files (x86)\Java\jre1.8.0_131" "C:\Users\test22\AppData\Roaming\Oracle\" /e
  2708
- cmd.exe cmd.exe
  2068
- reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v mIfXYPmidyd /t REG_EXPAND_SZ /d "\"C:\Users\test22\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\test22\DfSJGumiMVk\lXgvOTPUynR.dWJwxa\"" /f
  2408
- attrib.exe attrib +h "C:\Users\test22\DfSJGumiMVk\*.*"
  2568
- attrib.exe attrib +h "C:\Users\test22\DfSJGumiMVk"
  2956
- javaw.exe C:\Users\test22\AppData\Roaming\Oracle\bin\javaw.exe -jar C:\Users\test22\DfSJGumiMVk\lXgvOTPUynR.dWJwxa
  552
  - icacls.exe icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage\11e658b105eb7263.timestamp /grant "everyone":(OI)(CI)M
    2780
  - cmd.exe cmd.exe /C cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6188610520026110957.vbs
    2760
    - cscript.exe cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6188610520026110957.vbs
      1692
  - cmd.exe cmd.exe /C cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6961521396159326292.vbs
    1608
    - cscript.exe cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6961521396159326292.vbs
      160
  - cmd.exe cmd.exe
    2564
  - WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
    2808

Name	Response	Post-Analysis Lookup
No hosts contacted.

IP Address	Status	Action
143.244.165.128	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
TCP 143.244.165.128:1231 -> 192.168.56.103:49187	2020728	ET MALWARE Possible Adwind/jSocket SSL Cert (assylias.Inc)	A Network Trojan was detected

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.103:49187 143.244.165.128:1231	C=FR, O=assylias.Inc, CN=assylias	C=FR, O=assylias.Inc, CN=assylias	d6:2e:06:53:11:df:fc:ec:ad:9f:8e:92:c3:16:aa:fb:60:19:39:4b

Queries for the computername (9 events)

Time & API	Arguments	Status	Return
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1
GetComputerNameW Sept. 13, 2021, 5:55 p.m.	computer_name: TEST22-PC	1	1

Checks if process is being debugged by a debugger (3 events)

Time & API	Arguments	Status	Return	Repeated
IsDebuggerPresent Sept. 13, 2021, 5:55 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 5:55 p.m.			0	0
IsDebuggerPresent Sept. 13, 2021, 5:55 p.m.			0	0

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Sept. 13, 2021, 5:55 p.m.		1	1	0

One or more processes crashed (5 events)

Time & API	Arguments	Status
__exception__ Sept. 13, 2021, 5:55 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x24f0202 registers.esp: 14087188 registers.edi: 1 registers.eax: 6 registers.ebp: 1946801344 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Sept. 13, 2021, 5:55 p.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x27a0202 registers.esp: 13366812 registers.edi: 1 registers.eax: 6 registers.ebp: 1946801344 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Sept. 13, 2021, 5:55 p.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x73d17273 _JVM_SetVmMemoryPressure@4-0x1285c jvm+0x72e4 @ 0x73d172e4 JVM_GetThreadStateNames+0x4f379 _JVM_EnqueueOperation@20-0x5f937 jvm+0x15cf29 @ 0x73e6cf29 JVM_GetThreadStateNames+0x74947 _JVM_EnqueueOperation@20-0x3a369 jvm+0x1824f7 @ 0x73e924f7 JVM_GetThreadStateNames+0x40a57 _JVM_EnqueueOperation@20-0x6e259 jvm+0x14e607 @ 0x73e5e607 JVM_GetThreadStateNames+0x69f08 _JVM_EnqueueOperation@20-0x44da8 jvm+0x177ab8 @ 0x73e87ab8 _JVM_FindSignal@4+0xfdbf8 ??_7DCmdFactory@@6B@-0x913c jvm+0x2baf78 @ 0x73fcaf78 0x283dc6f 0x2894f76 0x28cd758 0x27a47b4 0x27a47b4 0x27a47b4 0x27a47b4 0x27a47b4 0x27a47b4 0x27a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x73e6af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x73f313ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x73e6afde _JVM_DoPrivileged@20+0x2bf _JVM_GetStackAccessControlContext@8-0x1b1 jvm+0x10b2cf @ 0x73e1b2cf _Java_java_security_AccessController_doPrivileged__Ljava_security_PrivilegedAction_2@12+0x15 _Java_java_security_AccessController_doPrivileged__Ljava_security_PrivilegedAction_2Ljava_security_AccessControlContext_2@16-0x3 java+0x1015 @ 0x73ce1015 0x27a47b4 0x27a47b4 0x27a47b4 0x27a47b4 0x27a44e0 0x27a47b4 0x27a47b4 0x27a47b4 0x27a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x73e6af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x73f313ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x73e6afde _JVM_GetManagementExt@4+0xa50eb AsyncGetCallTrace-0x15375 jvm+0xc05eb @ 0x73dd05eb _JVM_GetManagementExt@4+0xa62a7 AsyncGetCallTrace-0x141b9 jvm+0xc17a7 @ 0x73dd17a7 _JVM_GetManagementExt@4+0xa63f8 AsyncGetCallTrace-0x14068 jvm+0xc18f8 @ 0x73dd18f8 _JVM_GetManagementExt@4+0x69f76 AsyncGetCallTrace-0x504ea jvm+0x85476 @ 0x73d95476 _JVM_GetManagementExt@4+0x6af72 AsyncGetCallTrace-0x4f4ee jvm+0x86472 @ 0x73d96472 _JVM_GetManagementExt@4+0x66437 AsyncGetCallTrace-0x54029 jvm+0x81937 @ 0x73d91937 0x27b3aee 0x27a4854 0x27a4854 0x27a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x73e6af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x73f313ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x73e6afde _JVM_GetManagementExt@4+0xa50eb AsyncGetCallTrace-0x15375 jvm+0xc05eb @ 0x73dd05eb _JVM_GetManagementExt@4+0xa62a7 AsyncGetCallTrace-0x141b9 jvm+0xc17a7 @ 0x73dd17a7 _JVM_GetManagementExt@4+0xa63f8 AsyncGetCallTrace-0x14068 jvm+0xc18f8 @ 0x73dd18f8 _JVM_GetManagementExt@4+0x68470 AsyncGetCallTrace-0x51ff0 jvm+0x83970 @ 0x73d93970 _JVM_GetManagementExt@4+0x691fa AsyncGetCallTrace-0x51266 jvm+0x846fa @ 0x73d946fa _JVM_GetManagementExt@4+0x64aa7 AsyncGetCallTrace-0x559b9 jvm+0x7ffa7 @ 0x73d8ffa7 0x27b31bb 0x27a4854 0x27a4854 0x27a47b4 0x27a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x73e6af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x73f313ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x73e6afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x73e6b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x73e6b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73e0f36f exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 09 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x73d17205 registers.esp: 367780000 registers.edi: 357655552 registers.eax: 3200 registers.ebp: 367780000 registers.edx: 1946203604 registers.ebx: 10329992 registers.esi: 357655552 registers.ecx: 9437184	1
__exception__ Sept. 13, 2021, 5:55 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b CoReleaseServerProcess+0x73 OleSaveToStream-0xad ole32+0x64387 @ 0x761e4387 NdrpMemoryIncrement+0x3d1 NdrComplexStructMarshall-0x2f rpcrt4+0x1ef51 @ 0x74faef51 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c NdrPointerMarshall+0xd6 NdrPointerBufferSize-0x10 rpcrt4+0x16b42 @ 0x74fa6b42 NdrPointerMarshall+0x30 NdrPointerBufferSize-0xb6 rpcrt4+0x16a9c @ 0x74fa6a9c NdrConformantArrayFree+0x8c NdrOleFree-0xa rpcrt4+0x35c3a @ 0x74fc5c3a NdrStubCall2+0x31d NdrUnmarshallBasetypeInline-0x23a rpcrt4+0xb06b8 @ 0x750406b8 WdtpInterfacePointer_UserUnmarshal+0x256f DllDebugObjectRPCHook-0x1e89 ole32+0x13d7e6 @ 0x762bd7e6 WdtpInterfacePointer_UserUnmarshal+0x25ff DllDebugObjectRPCHook-0x1df9 ole32+0x13d876 @ 0x762bd876 WdtpInterfacePointer_UserUnmarshal+0x2b59 DllDebugObjectRPCHook-0x189f ole32+0x13ddd0 @ 0x762bddd0 CoTaskMemFree+0x1b02 DcomChannelSetHResult-0x1c8 ole32+0x58a43 @ 0x761d8a43 CoTaskMemFree+0x19f7 DcomChannelSetHResult-0x2d3 ole32+0x58938 @ 0x761d8938 DcomChannelSetHResult+0x8ff CoGetObject-0x2183 ole32+0x5950a @ 0x761d950a WdtpInterfacePointer_UserUnmarshal+0x2a56 DllDebugObjectRPCHook-0x19a2 ole32+0x13dccd @ 0x762bdccd WdtpInterfacePointer_UserUnmarshal+0x28ca DllDebugObjectRPCHook-0x1b2e ole32+0x13db41 @ 0x762bdb41 WdtpInterfacePointer_UserUnmarshal+0x2f86 DllDebugObjectRPCHook-0x1472 ole32+0x13e1fd @ 0x762be1fd DcomChannelSetHResult+0x75c CoGetObject-0x2326 ole32+0x59367 @ 0x761d9367 DcomChannelSetHResult+0x71b CoGetObject-0x2367 ole32+0x59326 @ 0x761d9326 gapfnScSendMessage+0x332 GetAppCompatFlags2-0x8ea user32+0x162fa @ 0x751762fa GetThreadDesktop+0xd7 GetWindowLongW-0x2c4 user32+0x16d3a @ 0x75176d3a CharPrevW+0x138 TranslateMessage-0x45 user32+0x177c4 @ 0x751777c4 DispatchMessageW+0xf GetMessageW-0x58 user32+0x1788a @ 0x7517788a CoWaitForMultipleHandles+0x4311 CoRegisterSurrogateEx-0x2fe ole32+0x1a48b @ 0x7619a48b CoWaitForMultipleHandles+0x23c1 CoRegisterSurrogateEx-0x224e ole32+0x1853b @ 0x7619853b CoWaitForMultipleHandles+0x4332 CoRegisterSurrogateEx-0x2dd ole32+0x1a4ac @ 0x7619a4ac CoGetTreatAsClass+0x2619 CoRegisterChannelHook-0x1269 ole32+0x2cd48 @ 0x761acd48 CoGetTreatAsClass+0x314b CoRegisterChannelHook-0x737 ole32+0x2d87a @ 0x761ad87a BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 48557748 registers.edi: 6875604 registers.eax: 48557748 registers.ebp: 48557828 registers.edx: 49 registers.ebx: 48558112 registers.esi: 2147746133 registers.ecx: 6644432	1
__exception__ Sept. 13, 2021, 5:55 p.m.	stacktrace: RpcRaiseException+0x42 I_RpcExceptionFilter-0x12 rpcrt4+0x2374b @ 0x74fb374b DllDebugObjectRPCHook+0xb6 HACCEL_UserFree-0x57 ole32+0x13f725 @ 0x762bf725 NdrPointerFree+0x16a IUnknown_Release_Proxy-0x5a rpcrt4+0x3414b @ 0x74fc414b ObjectStublessClient25+0x65c CoImpersonateClient-0xbc ole32+0xfe14 @ 0x7618fe14 StgGetIFillLockBytesOnFile+0x16ab5 WdtpInterfacePointer_UserSize-0xe21 ole32+0x13a338 @ 0x762ba338 IsValidURL+0x4b8c MkParseDisplayNameEx-0x1c6a4 urlmon+0x4e99f @ 0x76b8e99f IntlPercentEncodeNormalize+0x1ff8 CoInternetCombineIUri-0x940 urlmon+0x272ed @ 0x76b672ed RegisterBindStatusCallback+0x40d9 CopyBindInfo-0xbe4 urlmon+0x1ab0d @ 0x76b5ab0d IsValidURL+0x2235 MkParseDisplayNameEx-0x1effb urlmon+0x4c048 @ 0x76b8c048 RegisterBindStatusCallback+0x1dc3 CopyBindInfo-0x2efa urlmon+0x187f7 @ 0x76b587f7 RegisterBindStatusCallback+0x1ef2 CopyBindInfo-0x2dcb urlmon+0x18926 @ 0x76b58926 RevokeBindStatusCallback+0x13ad CreateURLMoniker-0x4b1 urlmon+0x1d55e @ 0x76b5d55e IsValidURL+0x2638 MkParseDisplayNameEx-0x1ebf8 urlmon+0x4c44b @ 0x76b8c44b RevokeBindStatusCallback+0x1045 CreateURLMoniker-0x819 urlmon+0x1d1f6 @ 0x76b5d1f6 RevokeBindStatusCallback+0xffb CreateURLMoniker-0x863 urlmon+0x1d1ac @ 0x76b5d1ac RevokeBindStatusCallback+0x125a CreateURLMoniker-0x604 urlmon+0x1d40b @ 0x76b5d40b RegisterBindStatusCallback+0x2ee7 CopyBindInfo-0x1dd6 urlmon+0x1991b @ 0x76b5991b RegisterBindStatusCallback+0x2333 CopyBindInfo-0x298a urlmon+0x18d67 @ 0x76b58d67 RegisterBindStatusCallback+0x36a4 CopyBindInfo-0x1619 urlmon+0x1a0d8 @ 0x76b5a0d8 RegisterBindStatusCallback+0x3151 CopyBindInfo-0x1b6c urlmon+0x19b85 @ 0x76b59b85 RegisterBindStatusCallback+0x3074 CopyBindInfo-0x1c49 urlmon+0x19aa8 @ 0x76b59aa8 DllRegisterServer+0x14b2 msxml3+0x46f4f @ 0x72d46f4f DllRegisterServer+0x13a3 msxml3+0x46e40 @ 0x72d46e40 DllGetClassObject+0x3536b DllCanUnloadNow-0x1017 msxml3+0x427a4 @ 0x72d427a4 DllGetClassObject+0x35219 DllCanUnloadNow-0x1169 msxml3+0x42652 @ 0x72d42652 DllGetClassObject+0x35104 DllCanUnloadNow-0x127e msxml3+0x4253d @ 0x72d4253d DllGetClassObject+0x34fd8 DllCanUnloadNow-0x13aa msxml3+0x42411 @ 0x72d42411 DllGetClassObject+0x35172 DllCanUnloadNow-0x1210 msxml3+0x425ab @ 0x72d425ab wmic+0x39c80 @ 0xf09c80 wmic+0x3b06a @ 0xf0b06a wmic+0x3b1f8 @ 0xf0b1f8 wmic+0x36fcd @ 0xf06fcd wmic+0x3d6e9 @ 0xf0d6e9 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x763733ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x77579ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x77579ea5 exception.instruction_r: c9 c2 10 00 cc cc cc cc cc 8b ff 55 8b ec 56 8b exception.symbol: RaiseException+0x58 CloseHandle-0x9 kernelbase+0xb727 exception.instruction: leave exception.module: KERNELBASE.dll exception.exception_code: 0x80040155 exception.offset: 46887 exception.address: 0x7677b727 registers.esp: 1893672 registers.edi: 1981610512 registers.eax: 1893672 registers.ebp: 1893752 registers.edx: 1 registers.ebx: 6613756 registers.esi: 2147746133 registers.ecx: 428453306	1

Allocates read-write-execute memory (usually to unpack itself) (50 out of 71 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x024f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02518000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02520000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02528000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02530000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02538000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02540000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02548000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02550000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02558000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02560000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02568000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02570000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02578000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02580000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02588000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02590000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02598000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x025f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02600000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02608000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02610000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02618000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02620000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x027f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02800000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02808000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02810000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02818000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02820000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02828000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 552 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02830000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (50 out of 95 events)

file	C:\Users\test22\AppData\Roaming\Oracle\bin\j2pkcs11.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\deploy.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\kinit.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\sunmscapi.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jdwp.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\sunec.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\java.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jabswitch.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\pack200.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jsoundds.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\net.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\management.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\msvcp120.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jp2native.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\javaws.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jaas_nt.dll
file	C:\Users\test22\AppData\Local\Temp\Retrive7608619414195445135.vbs
file	C:\Users\test22\AppData\Roaming\Oracle\bin\fxplugins.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\hprof.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\nio.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\ssv.dll
file	C:\Users\test22\AppData\Local\Temp\Retrive6188610520026110957.vbs
file	C:\Users\test22\AppData\Roaming\Oracle\bin\keytool.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\ssvagent.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jp2ssv.dll
file	C:\Users\test22\AppData\Local\Temp\Retrive6871426135152969709.vbs
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jjs.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jp2iexp.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\javacpl.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\instrument.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\policytool.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\klist.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\javaw.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\lcms.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\ktab.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\npt.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\prism_sw.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\dcpr.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\zip.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\verify.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\glass.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\decora_sse.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\java_crw_demo.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jawt.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\dt_shmem.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jfr.dll

Creates a suspicious process (6 events)

cmdline	cmd.exe
cmdline	cmd.exe /C cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6871426135152969709.vbs
cmdline	cmd.exe /C cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6961521396159326292.vbs
cmdline	cmd.exe /C cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive7608619414195445135.vbs
cmdline	cmd.exe /C cscript.exe C:\Users\test22\AppData\Local\Temp\Retrive6188610520026110957.vbs
cmdline	WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List

Drops an executable to the user AppData folder (50 out of 90 events)

file	C:\Users\test22\AppData\Roaming\Oracle\bin\jsoundds.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\unpack.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\awt.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\kinit.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\net.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jaas_nt.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\dt_shmem.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\javafx_font.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\javafx_iio.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jp2launcher.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jfxwebkit.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\glib-lite.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\java-rmi.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\keytool.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\client\jvm.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\msvcr120.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jli.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\t2k.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\management.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\fontmanager.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jp2ssv.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\java_crw_demo.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\prism_d3d.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\msvcp120.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\wsdetect.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jsdt.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\resource.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\j2pcsc.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\ssvagent.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\orbd.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\j2pkcs11.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\prism_sw.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jpeg.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\dcpr.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jfr.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\instrument.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\mlib_image.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\tnameserv.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\splashscreen.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\sunmscapi.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\hprof.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\deploy.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\npt.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jawt.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\policytool.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\jabswitch.exe
file	C:\Users\test22\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\rmid.exe

Changes read-write memory protection to read-execute (probably to avoid detection when setting all RWX flags at the same time) (1 event)

Time & API	Arguments	Status	Return	Repeated
NtProtectVirtualMemory Sept. 13, 2021, 5:55 p.m.	process_identifier: 2300 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 65536 protection: 32 (PAGE_EXECUTE_READ) base_address: 0x16200000 process_handle: 0xffffffff	1	0	0

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Sept. 13, 2021, 5:55 p.m.	flags: 28 family: 0	1	0	0

Terminates another process (12 events)

Time & API	Arguments	Return
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 2612 process_handle: 0x00000340	0
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 2612 process_handle: 0x00000340	3221225738
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 2688 process_handle: 0x00000350	0
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 2688 process_handle: 0x00000350	3221225738
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 2708 process_handle: 0x000002b8	0
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 2708 process_handle: 0x000002b8	3221225738
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 2760 process_handle: 0x0000034c	0
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 2760 process_handle: 0x0000034c	3221225738
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 1608 process_handle: 0x0000035c	0
NtTerminateProcess Sept. 13, 2021, 5:55 p.m.	status_code: 0x00000001 process_identifier: 1608 process_handle: 0x0000035c	3221225738
NtTerminateProcess Sept. 13, 2021, 5:56 p.m.	status_code: 0x00000001 process_identifier: 2808 process_handle: 0x00000404	0
NtTerminateProcess Sept. 13, 2021, 5:56 p.m.	status_code: 0x00000001 process_identifier: 2808 process_handle: 0x00000404	3221225738

Uses Windows utilities for basic Windows functionality (4 events)

cmdline	attrib +h "C:\Users\test22\DfSJGumiMVk"
cmdline	attrib +h "C:\Users\test22\DfSJGumiMVk\."
cmdline	reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v mIfXYPmidyd /t REG_EXPAND_SZ /d "\"C:\Users\test22\AppData\Roaming\Oracle\bin\javaw.exe\" -jar \"C:\Users\test22\DfSJGumiMVk\lXgvOTPUynR.dWJwxa\"" /f
cmdline	WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List

Communicates with host for which no DNS query was performed (1 event)

host

143.244.165.128

Installs itself for autorun at Windows startup (1 event)

reg_key

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\mIfXYPmidyd

reg_value

"C:\Users\test22\AppData\Roaming\Oracle\bin\javaw.exe" -jar "C:\Users\test22\DfSJGumiMVk\lXgvOTPUynR.dWJwxa"

Deletes executed files from disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\Retrive6871426135152969709.vbs

Executes one or more WMI queries (3 events)

wmi	Select * from AntiVirusProduct
wmi	Select * from FirewallProduct
wmi	SELECT * FROM Win32_PnpSignedDriver

Uses suspicious command line tools or Windows utilities (1 event)

cmdline

icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage\11e658b105eb7263.timestamp /grant "everyone":(OI)(CI)M

The process javaw.exe wrote an executable file to disk (2 events)

file	C:\Users\test22\AppData\Local\Temp\Windows2173301012068462979.dll
file	C:\Users\test22\AppData\Roaming\Oracle\bin\javaw.exe

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

Lionic	Trojan.Java.Adwind.m!c
ClamAV	Java.Trojan.Adwind-6
Alibaba	Backdoor:JAVA/Adwind.0c21ebf9
Arcabit	Trojan.Generic.D23D24CC
ESET-NOD32	multiple detections
Avast	Java:Malware-gen [Trj]
Kaspersky	HEUR:Backdoor.Java.Adwind.gen
BitDefender	Trojan.GenericKD.37561548
NANO-Antivirus	Exploit.Zip.Heuristic-java.csrvpr
MicroWorld-eScan	Trojan.GenericKD.37561548
Ad-Aware	Trojan.GenericKD.37561548
Emsisoft	Trojan.GenericKD.37561548 (B)
McAfee-GW-Edition	Adwind!jar
FireEye	Trojan.GenericKD.37561548
Ikarus	Trojan.Java.Adwind
GData	Trojan.GenericKD.37561548
ZoneAlarm	HEUR:Backdoor.Java.Adwind.gen
McAfee	Adwind!jar
MAX	malware (ai score=88)
Zoner	Probably Heur.JARAgent
AVG	Java:Malware-gen [Trj]

Inv_INV410599.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All