Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Rtgs-RUATT6761105.html

Overview

General Information

Sample name:Rtgs-RUATT6761105.html
Analysis ID:1603683
MD5:8d1518db5d68a616ae7d2bd314d60d01
SHA1:177768890969db087fccf4db36e36f155831fe43
SHA256:ffbb6ef3cd8dd5968192ed9a98c9b244d0664767080493f59825b3dcd8725668
Infos:

Detection

Branchlock Obfuscator, SVG Dropper
Score:92
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected Branchlock Obfuscator
Yara detected SVG Dropper
Downloads suspicious files via Chrome
Exploit detected, runtime environment starts unknown processes
Found suspicious ZIP file
HTML page contains base64 encoded files
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)
Found inlined nop instructions (likely shell or obfuscated code)
IP address seen in connection with other malware
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Stores files to the Windows start menu directory
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64_ra
  • chrome.exe (PID: 7084 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Rtgs-RUATT6761105.html MD5: B6CB00FCB81D3B66870817AEBE7163BB)
    • chrome.exe (PID: 6336 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2020 --field-trial-handle=1972,i,17022466536324501101,2113891797188819685,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: B6CB00FCB81D3B66870817AEBE7163BB)
    • chrome.exe (PID: 7452 cmdline: "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-GB --service-sandbox-type=file_util --mojo-platform-channel-handle=4796 --field-trial-handle=1972,i,17022466536324501101,2113891797188819685,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8 MD5: B6CB00FCB81D3B66870817AEBE7163BB)
  • rundll32.exe (PID: 7784 cmdline: C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding MD5: EF3179D498793BF4234F708D3BE28633)
  • wscript.exe (PID: 7516 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • java.exe (PID: 7596 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
      • conhost.exe (PID: 7612 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • icacls.exe (PID: 5896 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)
        • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • javaw.exe (PID: 1324 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
      • tasklist.exe (PID: 3840 cmdline: tasklist.exe MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • conhost.exe (PID: 400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • wscript.exe (PID: 344 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • java.exe (PID: 4924 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
      • conhost.exe (PID: 4996 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • javaw.exe (PID: 7728 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
      • tasklist.exe (PID: 7148 cmdline: tasklist.exe MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • conhost.exe (PID: 7144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • chrome.exe (PID: 928 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
    • chrome.exe (PID: 1272 cmdline: "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1764,i,15393456971451966166,14348329729809103929,262144 /prefetch:8 MD5: 83395EAB5B03DEA9720F8D7AC0D15CAA)
  • wscript.exe (PID: 5336 cmdline: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" MD5: A47CBE969EA935BDD3AB568BB126BC80)
    • java.exe (PID: 7824 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
      • conhost.exe (PID: 7740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • javaw.exe (PID: 4728 cmdline: "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
      • tasklist.exe (PID: 1472 cmdline: tasklist.exe MD5: 0A4448B31CE7F83CB7691A2657F330F1)
        • conhost.exe (PID: 4144 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cmd.exe (PID: 7532 cmdline: "C:\Windows\system32\cmd.exe" MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE)
    • conhost.exe (PID: 8164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Initial Sample

SourceRuleDescriptionAuthorStrings
Rtgs-RUATT6761105.htmlJoeSecurity_SVGDropperYara detected SVG DropperJoe Security

    Dropped Files

    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jarJoeSecurity_BranchlockObfuscatorYara detected Branchlock ObfuscatorJoe Security

      Memory Dumps

      SourceRuleDescriptionAuthorStrings
      00000026.00000003.2382483966.000001BB6D3DE000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BranchlockObfuscatorYara detected Branchlock ObfuscatorJoe Security
        00000010.00000003.1780866431.00000251BFA5C000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BranchlockObfuscatorYara detected Branchlock ObfuscatorJoe Security
          00000015.00000002.1770490112.0000000014EAA000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BranchlockObfuscatorYara detected Branchlock ObfuscatorJoe Security
            00000029.00000003.2277629379.0000000000F26000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BranchlockObfuscatorYara detected Branchlock ObfuscatorJoe Security
              00000010.00000002.1794993771.00000251BFA67000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_BranchlockObfuscatorYara detected Branchlock ObfuscatorJoe Security
                Click to see the 14 entries

                Sigma Signatures

                System Summary

                barindex
                Sigma detected: Script Interpreter Execution From Suspicious Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Nasreddine Bencherchali (Nextron Systems): Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , CommandLine|base64offset|contains: N-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , ProcessId: 7516, ProcessName: wscript.exe
                Sigma detected: Suspicious Script Execution From Temp Folder
                Source: Process startedAuthor: Florian Roth (Nextron Systems), Max Altgelt (Nextron Systems), Tim Shelton: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , CommandLine|base64offset|contains: N-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , ProcessId: 7516, ProcessName: wscript.exe
                Sigma detected: WScript or CScript Dropper
                Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (Nextron Systems), oscd.community: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , CommandLine|base64offset|contains: N-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , ProcessId: 7516, ProcessName: wscript.exe
                Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
                Source: Process startedAuthor: Michael Haag: Data: Command: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , CommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , CommandLine|base64offset|contains: N-, Image: C:\Windows\System32\wscript.exe, NewProcessName: C:\Windows\System32\wscript.exe, OriginalFileName: C:\Windows\System32\wscript.exe, ParentCommandLine: , ParentImage: , ParentProcessId: 4552, ProcessCommandLine: "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js" , ProcessId: 7516, ProcessName: wscript.exe

                Suricata Signatures

                No Suricata rule has matched

                Joe Sandbox Signatures

                Click to jump to signature section

                Show All Signature Results

                Phishing

                barindex
                HTML page contains base64 encoded files
                Source: Rtgs-RUATT6761105.htmlHTTP Parser: Base64: UEsDBAoAAAAAAKejJVoA...AAIA5QAAAK9gAQAAAA== decoded: PK..........%Z.........9K*.P+.....9.......F
                Source: Rtgs-RUATT6761105.htmlHTTP Parser: No favicon
                Source: file:///C:/Users/user/Desktop/Rtgs-RUATT6761105.htmlHTTP Parser: No favicon

                Software Vulnerabilities

                barindex
                Exploit detected, runtime environment starts unknown processes
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\System32\conhost.exe
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 4x nop then cmp eax, dword ptr [ecx+04h]21_2_02668C18
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 4x nop then cmp eax, dword ptr [ecx+04h]32_2_02659718
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 4x nop then cmp eax, dword ptr [ecx+04h]41_2_02969A58
                Source: Joe Sandbox ViewIP Address: 162.159.61.3 162.159.61.3
                Source: Joe Sandbox ViewIP Address: 172.64.41.3 172.64.41.3
                Source: Joe Sandbox ViewIP Address: 239.255.255.250 239.255.255.250
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.200
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.40.238
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                Source: unknownTCP traffic detected without corresponding DNS query: 204.79.197.203
                Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                Source: unknownTCP traffic detected without corresponding DNS query: 20.189.173.13
                Source: unknownTCP traffic detected without corresponding DNS query: 192.229.211.108
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: unknownTCP traffic detected without corresponding DNS query: 142.251.35.174
                Source: global trafficHTTP traffic detected: GET /crx/blobs/ASuc5oj66FPFCZ6TpoAktc-qUj-xZHh4ElNyHL2oX1fA4ba1CEuSD2622yJ8GMFHp-mOUJx9R1r8fL9p7mr2DC59Qhc7bBNPrvCsW6YV5Cn_fb22vJw7Q3ImwWbO7r9R5UM_AMZSmuVGmgAcSzXr_h0j8ySsMnl6SOzTVw/EFAIDNBMNNNIBPCAJPCGLCLEFINDMKAJ_25_1_3_2.crx HTTP/1.1Host: clients2.googleusercontent.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
                Source: global trafficHTTP traffic detected: GET /webstore/inlineinstall/detail/efaidnbmnnnibpcajpcglclefindmkaj HTTP/1.1Host: chrome.google.comConnection: keep-aliveSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
                Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Not.A/Brand";v="8", "Chromium";v="114"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CNOFywE=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-GB,en-US;q=0.9,en;q=0.8
                Source: global trafficHTTP traffic detected: GET /complete/search?client=chrome-omni&gs_ri=chrome-ext-ansg&xssi=t&q=&oit=0&oft=1&pgcl=20&gs_rn=42&sugkey=AIzaSyBOti4mM-6x9WDnZIjIeyEU21OpBXqWBgw HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIk6HLAQiFoM0BCNy9zQEIksrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /async/newtab_ogb?hl=en-US&async=fixed:0 HTTP/1.1Host: www.google.comConnection: keep-aliveX-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIk6HLAQiFoM0BCNy9zQEIksrNAQi5ys0BCLbLzQEI6dLNAQiK080BCMHUzQEIz9bNAQjj1s0BCI7XzQEIp9jNAQi62M0BCPnA1BUYuL/NARj2yc0BGOuNpRc=Sec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /async/newtab_promos HTTP/1.1Host: www.google.comConnection: keep-aliveSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                Source: global trafficHTTP traffic detected: GET /_/scs/abc-static/_/js/k=gapi.gapi.en.l2ZUC8FxqV8.O/m=gapi_iframes,googleapis_client/rt=j/sv=1/d=1/ed=1/rs=AHpOoo9xAAkaXO7Lqf7-9uTpZLtrkpWaXQ/cb=gapi.loaded_0 HTTP/1.1Host: apis.google.comConnection: keep-alivesec-ch-ua: "Google Chrome";v="117", "Not;A=Brand";v="8", "Chromium";v="117"sec-ch-ua-mobile: ?0User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.0.0 Safari/537.36sec-ch-ua-platform: "Windows"Accept: */*X-Client-Data: CJC2yQEIprbJAQipncoBCLf3ygEIk6HLAQiFoM0BCLnKzQEIitPNAQjB1M0BCLrYzQEY9snNARjrjaUXSec-Fetch-Site: cross-siteSec-Fetch-Mode: no-corsSec-Fetch-Dest: scriptAccept-Encoding: gzip, deflate, brAccept-Language: en-US,en;q=0.9
                Source: global trafficDNS traffic detected: DNS query: clients2.googleusercontent.com
                Source: global trafficDNS traffic detected: DNS query: www.google.com
                Source: global trafficDNS traffic detected: DNS query: chrome.cloudflare-dns.com
                Source: global trafficDNS traffic detected: DNS query: sb-ssl.google.com
                Source: global trafficDNS traffic detected: DNS query: seasonmonster.s3.us-east-1.amazonaws.com
                Source: global trafficDNS traffic detected: DNS query: apis.google.com
                Source: global trafficDNS traffic detected: DNS query: play.google.com
                Source: unknownHTTP traffic detected: POST /safebrowsing/clientreport/download?key=dummytoken HTTP/1.1Host: sb-ssl.google.comConnection: keep-aliveContent-Length: 242334Content-Type: application/octet-streamSec-Fetch-Site: noneSec-Fetch-Mode: no-corsSec-Fetch-Dest: emptyUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/114.0.0.0 Safari/537.36Accept-Encoding: gzip, deflate, br
                Source: javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: HTTP://WWW.CHAMBERSIGN.ORG
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E06000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E09000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009D81000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D84000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E06000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E09000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                Source: javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambers
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1757602155.0000000004CCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E06000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E09000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009D81000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D84000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E06000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E09000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                Source: java.exe, 00000011.00000002.1729924387.0000000004600000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 0000001E.00000002.2017446026.0000000004600000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.oracle.com/
                Source: javaw.exe, 00000015.00000002.1770490112.0000000014EAA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009F42000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009F44000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2084521140.00000000151E0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2354504201.0000000015450000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A140000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://null.oracle.com/
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E06000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E09000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E06000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E09000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A005000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E27000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009D56000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009DC8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009D81000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009DCB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D84000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E2A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009D58000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009FC7000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A025000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F57000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.0000000009F80000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://policy.camerfirma.com0
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/
                Source: javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/#
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.000000000485E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/0
                Source: javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/St
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://repository.swisssign.com/k
                Source: chromecache_508.36.drString found in binary or memory: http://www.broofa.com
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.chambersign.org1
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bm0
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bmC
                Source: javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadis.bmsi
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
                Source: chromecache_512.36.drString found in binary or memory: https://accounts.google.com/o/oauth2/auth
                Source: chromecache_512.36.drString found in binary or memory: https://accounts.google.com/o/oauth2/postmessageRelay
                Source: chromecache_508.36.dr, chromecache_512.36.drString found in binary or memory: https://apis.google.com
                Source: Swift Confirmation Copy.jar.16.drString found in binary or memory: https://branchlock.net
                Source: javaw.exe, 00000015.00000002.1770490112.0000000014EAA000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://branchlock.net%
                Source: wscript.exe, 0000001D.00000003.2101588988.000001BF4D5B0000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000026.00000003.2382483966.000001BB6D3DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://branchlock.net8
                Source: wscript.exe, 00000026.00000003.2382483966.000001BB6D3DE000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://branchlock.netP
                Source: wscript.exe, 00000010.00000003.1780866431.00000251BFA5C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://branchlock.netY
                Source: chromecache_512.36.drString found in binary or memory: https://clients6.google.com
                Source: chromecache_512.36.drString found in binary or memory: https://content.googleapis.com
                Source: chromecache_512.36.drString found in binary or memory: https://domains.google.com/suggest/flow
                Source: chromecache_508.36.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey200-36dp/2x/gm_alert_gm_grey200_3
                Source: chromecache_508.36.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/alert/v11/gm_grey600-36dp/2x/gm_alert_gm_grey600_3
                Source: chromecache_508.36.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey200-24dp/1x/gm_close_gm_grey200_2
                Source: chromecache_508.36.drString found in binary or memory: https://fonts.gstatic.com/s/i/googlematerialicons/close/v19/gm_grey600-24dp/1x/gm_close_gm_grey600_2
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004C9E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CA0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004AE9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
                Source: javaw.exe, 00000015.00000002.1757602155.00000000048D9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.comK
                Source: javaw.exe, 00000020.00000002.2049473539.00000000048E4000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.comS
                Source: chromecache_508.36.drString found in binary or memory: https://play.google.com/log?format=json&hasfast=true
                Source: chromecache_512.36.drString found in binary or memory: https://plus.google.com
                Source: chromecache_512.36.drString found in binary or memory: https://plus.googleapis.com
                Source: javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004CCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1762475761.0000000009FCC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004CCF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009FCE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A1F5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lu0
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004CCE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.luK
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.luk
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004EA0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repository.luxtrust.lus&
                Source: javaw.exe, 00000015.00000002.1757602155.0000000004B93000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2049473539.0000000004B8F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2307242939.0000000004D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/1.jar
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/2.jar
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/3.jar
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/checker.jar
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/email.js
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/history.jar
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/recovery.jar
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/res.jar
                Source: javaw.exe, 00000029.00000002.2307242939.0000000004D95000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://seasonmonster.s3.us-east-1.amazonaws.com/swiftcopy.pdf
                Source: chromecache_512.36.drString found in binary or memory: https://workspace.google.com/:session_prefix:marketplace/appfinder?usegapi=1
                Source: chromecache_512.36.drString found in binary or memory: https://www.googleapis.com/auth/plus.me
                Source: chromecache_512.36.drString found in binary or memory: https://www.googleapis.com/auth/plus.people.recommended
                Source: chromecache_508.36.drString found in binary or memory: https://www.gstatic.com/gb/html/afbp.html
                Source: chromecache_508.36.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_medium.css
                Source: chromecache_508.36.drString found in binary or memory: https://www.gstatic.com/images/icons/material/anim/mspin/mspin_googcolor_small.css
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49743
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
                Source: unknownNetwork traffic detected: HTTP traffic on port 49676 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49761
                Source: unknownNetwork traffic detected: HTTP traffic on port 49678 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49727 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49725 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49691 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49748 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49743 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
                Source: unknownNetwork traffic detected: HTTP traffic on port 49751 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
                Source: unknownNetwork traffic detected: HTTP traffic on port 49680 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49715 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49715
                Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49714
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49711
                Source: unknownNetwork traffic detected: HTTP traffic on port 49675 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49730
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49752
                Source: unknownNetwork traffic detected: HTTP traffic on port 49677 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49730 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49751
                Source: unknownNetwork traffic detected: HTTP traffic on port 49711 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49691
                Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49761 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49728 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49752 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49728
                Source: unknownNetwork traffic detected: HTTP traffic on port 49714 -> 443
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49727
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49748
                Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49725

                System Summary

                barindex
                Downloads suspicious files via Chrome
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeFile dump: C:\Users\user\Downloads\MT103 Kotak.zip (copy)Jump to dropped file
                Found suspicious ZIP file
                Source: cd8ee6f2-3178-4d1c-9623-69a5ab576543.tmp.1.drZip Entry: Swift Transactions/Swift Transaction Report.js
                Source: f0282196-0de5-48d9-9c78-8c926256e775.tmp.35.drZip Entry: Swift Transactions/Swift Transaction Report.js
                Windows Scripting host queries suspicious COM object (likely to drop second stage)
                Source: C:\Windows\System32\wscript.exeCOM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}Jump to behavior
                Source: classification engineClassification label: mal92.phis.troj.expl.evad.winHTML@92/37@22/16
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeFile created: C:\Users\user\Downloads\cd8ee6f2-3178-4d1c-9623-69a5ab576543.tmpJump to behavior
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_03
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeMutant created: NULL
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4996:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7740:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4144:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7144:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:400:120:WilError_03
                Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7612:120:WilError_03
                Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jarJump to behavior
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\SysWOW64\tasklist.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
                Source: C:\Windows\System32\wscript.exeFile read: C:\Program Files (x86)\desktop.iniJump to behavior
                Source: C:\Windows\System32\rundll32.exeKey opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Source: unknownProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --start-maximized --single-argument C:\Users\user\Desktop\Rtgs-RUATT6761105.html
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2020 --field-trial-handle=1972,i,17022466536324501101,2113891797188819685,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-GB --service-sandbox-type=file_util --mojo-platform-channel-handle=4796 --field-trial-handle=1972,i,17022466536324501101,2113891797188819685,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8
                Source: unknownProcess created: C:\Windows\System32\rundll32.exe C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
                Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
                Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe"
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1764,i,15393456971451966166,14348329729809103929,262144 /prefetch:8
                Source: unknownProcess created: C:\Windows\System32\wscript.exe "C:\Windows\System32\WScript.exe" "C:\Users\user\AppData\Local\Temp\Temp1_MT103 Kotak.zip\Swift Transactions\Swift Transaction Report.js"
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
                Source: C:\Windows\SysWOW64\tasklist.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: unknownProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
                Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-GB --service-sandbox-type=none --start-stack-profiler --mojo-platform-channel-handle=2020 --field-trial-handle=1972,i,17022466536324501101,2113891797188819685,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1Jump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: C:\Users\user\AppData\Local\Chromium\Application\chrome.exe "C:\Users\user\AppData\Local\Chromium\Application\chrome.exe" --no-sandbox --type=utility --utility-sub-type=chrome.mojom.FileUtilService --lang=en-GB --service-sandbox-type=file_util --mojo-platform-channel-handle=4796 --field-trial-handle=1972,i,17022466536324501101,2113891797188819685,262144 --disable-features=OptimizationGuideModelDownloading,OptimizationHints,OptimizationHintsFetching,OptimizationTargetPrediction /prefetch:8Jump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Users\user\AppData\Local\Chromium\Application\chrome.exeProcess created: unknown unknownJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -versionJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"Jump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exeJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exeJump to behavior
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2016 --field-trial-handle=1764,i,15393456971451966166,14348329729809103929,262144 /prefetch:8
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\cmd.exe "C:\Windows\system32\cmd.exe"
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknown
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: apphelp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: wsock32.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: winmm.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: version.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: windows.storage.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: wldp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: mswsock.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: iphlpapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dhcpcsvc6.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dhcpcsvc.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dnsapi.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: cryptsp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: rsaenh.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: cryptbase.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: rasadhlp.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: fwpuclnt.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: ncrypt.dllJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: ntasn1.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dllJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dllJump to behavior
                Source: C:\Windows\System32\wscript.exeSection loaded: version.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: uxtheme.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sxs.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: jscript.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: iertutil.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: amsi.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: userenv.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msasn1.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptsp.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: rsaenh.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: cryptbase.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msisip.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wshext.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: scrobj.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: mpr.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: scrrun.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.storage.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: propsys.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: edputil.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: urlmon.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: srvcli.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: netutils.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: windows.staterepositoryps.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sspicli.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: wintypes.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: appresolver.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: bcp47langs.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: slc.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: sppc.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: onecorecommonproxystub.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: onecoreuapcommonproxystub.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: apphelp.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msxml3.dll
                Source: C:\Windows\System32\wscript.exeSection loaded: msdart.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: apphelp.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wsock32.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: winmm.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: version.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: kernel.appcore.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: windows.storage.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wldp.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: profapi.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: wsock32.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: winmm.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: version.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: kernel.appcore.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: windows.storage.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: wldp.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: profapi.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: mswsock.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: iphlpapi.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dhcpcsvc6.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dhcpcsvc.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: dnsapi.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: cryptsp.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: rsaenh.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: userenv.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: cryptbase.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: rasadhlp.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: fwpuclnt.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: ncrypt.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeSection loaded: ntasn1.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: version.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: mpr.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: framedynos.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: dbghelp.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: srvcli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: netutils.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: sspicli.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: kernel.appcore.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: wbemcomn.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: winsta.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: amsi.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: userenv.dll
                Source: C:\Windows\SysWOW64\tasklist.exeSection loaded: profapi.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: winbrand.dll
                Source: C:\Windows\System32\cmd.exeSection loaded: wldp.dll
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
                Source: Google Drive.lnk.35.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                Source: YouTube.lnk.35.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                Source: Sheets.lnk.35.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                Source: Gmail.lnk.35.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                Source: Slides.lnk.35.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                Source: Docs.lnk.35.drLNK file: ..\..\..\..\..\..\..\..\..\Program Files\Google\Chrome\Application\chrome_proxy.exe
                Source: Window RecorderWindow detected: More than 3 window changes detected

                Data Obfuscation

                barindex
                Yara detected Branchlock Obfuscator
                Source: Yara matchFile source: 00000026.00000003.2382483966.000001BB6D3DE000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000003.1780866431.00000251BFA5C000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000002.1770490112.0000000014EAA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000003.2277629379.0000000000F26000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.1794993771.00000251BFA67000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000002.2121791987.000001BF4D5BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000020.00000002.2082450271.0000000014EC0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000029.00000002.2351733735.00000000150BC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000020.00000003.2024119139.0000000000B15000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000015.00000003.1733197910.0000000000B96000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 0000001D.00000003.2101588988.000001BF4D5B0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000026.00000002.2409749497.000001BB6D3F6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: 00000010.00000002.1796180904.00000251C00D0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 7516, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 1324, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 344, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 7728, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: wscript.exe PID: 5336, type: MEMORYSTR
                Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 4728, type: MEMORYSTR
                Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar, type: DROPPED
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 17_2_0258A21B push ecx; ret 17_2_0258A225
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 17_2_0258A20A push ecx; ret 17_2_0258A21A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 17_2_0258BB67 push 00000000h; mov dword ptr [esp], esp17_2_0258BB8D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 17_2_0258B3B7 push 00000000h; mov dword ptr [esp], esp17_2_0258B3DD
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 17_2_0258B947 push 00000000h; mov dword ptr [esp], esp17_2_0258B96D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 17_2_0258C477 push 00000000h; mov dword ptr [esp], esp17_2_0258C49D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_0266D691 push cs; retf 21_2_0266D6B1
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_0266B331 push ecx; retn 0022h21_2_0266B3E6
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_0266B077 push es; iretd 21_2_0266B07E
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_0268DD3E push cs; iretd 21_2_0268DD6C
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CD8F7 push 00000000h; mov dword ptr [esp], esp21_2_025CD921
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CA21B push ecx; ret 21_2_025CA225
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CA20A push ecx; ret 21_2_025CA21A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CBAF4 push 00000000h; mov dword ptr [esp], esp21_2_025CBB8D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CB2BF push 00000000h; mov dword ptr [esp], esp21_2_025CB3DD
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CBB67 push 00000000h; mov dword ptr [esp], esp21_2_025CBB8D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CB3B7 push 00000000h; mov dword ptr [esp], esp21_2_025CB3DD
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CC0D5 push 00000000h; mov dword ptr [esp], esp21_2_025CC49D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CB8D1 push 00000000h; mov dword ptr [esp], esp21_2_025CB96D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CD8D1 push 00000000h; mov dword ptr [esp], esp21_2_025CD921
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CB947 push 00000000h; mov dword ptr [esp], esp21_2_025CB96D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_025CC477 push 00000000h; mov dword ptr [esp], esp21_2_025CC49D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DA20A push ecx; ret 30_2_024DA21A
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DA21B push ecx; ret 30_2_024DA225
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DBAF4 push 00000000h; mov dword ptr [esp], esp30_2_024DBB8D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DB2BF push 00000000h; mov dword ptr [esp], esp30_2_024DB3DD
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DBB67 push 00000000h; mov dword ptr [esp], esp30_2_024DBB8D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DB3B7 push 00000000h; mov dword ptr [esp], esp30_2_024DB3DD
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DC0D5 push 00000000h; mov dword ptr [esp], esp30_2_024DC49D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DB8D1 push 00000000h; mov dword ptr [esp], esp30_2_024DB96D
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 30_2_024DB947 push 00000000h; mov dword ptr [esp], esp30_2_024DB96D
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Google Drive.lnk
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\YouTube.lnk
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Sheets.lnk
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Gmail.lnk
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Slides.lnk
                Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Chrome Apps\Docs.lnk
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                Source: C:\Windows\System32\rundll32.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
                Source: C:\Windows\SysWOW64\tasklist.exeProcess information set: NOOPENFILEERRORBOX

                Malware Analysis System Evasion

                barindex
                Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AUTORUNSC.EXE8
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: AUTORUNS.EXE8
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: WIRESHARK.EXE8
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: OLLYDBG.EXE8
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: PROCMON.EXE8
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FILEMON.EXE8
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: FIDDLER.EXE8
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: REGMON.EXE8
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeCode function: 21_2_0266B4C4 sldt word ptr [eax]21_2_0266B4C4
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-TimerJump to behavior
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
                Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Family,VirtualizationFirmwareEnabled FROM Win32_Processor
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                Source: java.exe, 00000011.00000003.1724051080.0000000014B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
                Source: java.exe, 00000011.00000003.1724051080.0000000014B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
                Source: java.exe, 00000011.00000002.1727456764.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1755701029.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2045220076.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000027.00000002.2264118428.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2301133822.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Ljava/lang/VirtualMachineError;
                Source: java.exe, 00000011.00000003.1724051080.0000000014B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
                Source: java.exe, 00000011.00000002.1727456764.0000000000AC4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1755701029.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2045220076.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000027.00000002.2264118428.0000000000B14000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2301133822.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cjava/lang/VirtualMachineError
                Source: javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vmware.exe8
                Source: java.exe, 00000011.00000003.1724051080.0000000014B57000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
                Source: javaw.exe, 00000015.00000002.1762475761.0000000009E4F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2059555332.0000000009E52000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2324389507.000000000A04F000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: vboxtray.exe8
                Source: java.exe, 00000011.00000002.1727456764.0000000000A9B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000015.00000002.1755701029.0000000000B57000.00000004.00000020.00020000.00000000.sdmp, java.exe, 0000001E.00000002.2014990078.00000000009DB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000020.00000002.2045220076.0000000000AD8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000027.00000002.2264118428.0000000000AEB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000029.00000002.2301133822.0000000000EE7000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeMemory protected: page read and write | page guardJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -versionJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"Jump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exeJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exeJump to behavior
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\java.exe" -version
                Source: C:\Windows\System32\wscript.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exe "C:\Program Files (x86)\Common Files\Oracle\Java\javapath\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\Swift Confirmation Copy.jar"
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeProcess created: C:\Windows\SysWOW64\tasklist.exe tasklist.exe
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 17_2_025803C0 cpuid 17_2_025803C0
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7596 VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\1324 VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\4924 VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7728 VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformationJump to behavior
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7824 VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\4728 VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation
                Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
                Source: C:\Windows\System32\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

                Stealing of Sensitive Information

                barindex
                Yara detected SVG Dropper
                Source: Yara matchFile source: Rtgs-RUATT6761105.html, type: SAMPLE

                Remote Access Functionality

                barindex
                Yara detected SVG Dropper
                Source: Yara matchFile source: Rtgs-RUATT6761105.html, type: SAMPLE

                Mitre Att&ck Matrix

                ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                Gather Victim Identity Information1
                Scripting                		Valid Accounts11
                Windows Management Instrumentation                		1
                Scripting                		11
                Process Injection                		1
                Masquerading                		OS Credential Dumping111
                Security Software Discovery                		Remote ServicesData from Local System1
                Encrypted Channel                		Exfiltration Over Other Network MediumAbuse Accessibility Features
                CredentialsDomainsDefault Accounts1
                Exploitation for Client Execution                		1
                Registry Run Keys / Startup Folder                		1
                Registry Run Keys / Startup Folder                		2
                Virtualization/Sandbox Evasion                		LSASS Memory2
                Virtualization/Sandbox Evasion                		Remote Desktop ProtocolData from Removable Media1
                Ingress Tool Transfer                		Exfiltration Over BluetoothNetwork Denial of Service
                Email AddressesDNS ServerDomain AccountsAt1
                Services File Permissions Weakness                		1
                Services File Permissions Weakness                		1
                Disable or Modify Tools                		Security Account Manager1
                File and Directory Discovery                		SMB/Windows Admin SharesData from Network Shared Drive3
                Non-Application Layer Protocol                		Automated ExfiltrationData Encrypted for Impact
                Employee NamesVirtual Private ServerLocal AccountsCron1
                DLL Side-Loading                		1
                DLL Side-Loading                		11
                Process Injection                		NTDS23
                System Information Discovery                		Distributed Component Object ModelInput Capture4
                Application Layer Protocol                		Traffic DuplicationData Destruction
                Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                Obfuscated Files or Information                		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                Services File Permissions Weakness                		Cached Domain CredentialsWi-Fi DiscoveryVNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                Rundll32                		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                Network Trust DependenciesServerlessDrive-by CompromiseContainer Orchestration JobScheduled Task/JobScheduled Task/Job1
                DLL Side-Loading                		Proc FilesystemSystem Owner/User DiscoveryCloud ServicesCredential API HookingApplication Layer ProtocolExfiltration Over Alternative ProtocolDefacement

                Behavior Graph

                Hide Legend

                Legend:

                • Process
                • Signature
                • Created File
                • DNS/IP Info
                • Is Dropped
                • Is Windows Process
                • Number of created Registry Values
                • Number of created Files
                • Visual Basic
                • Delphi
                • Java
                • .Net C# or VB.NET
                • C, C++ or other language
                • Is malicious
                • Internet
                behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1603683 Sample: Rtgs-RUATT6761105.html Startdate: 31/01/2025 Architecture: WINDOWS Score: 92 66 seasonmonster.s3.us-east-1.amazonaws.com 2->66 68 s3-r-w.us-east-1.amazonaws.com 2->68 88 Yara detected SVG Dropper 2->88 90 Yara detected Branchlock Obfuscator 2->90 92 Exploit detected, runtime environment starts unknown processes 2->92 94 5 other signatures 2->94 9 wscript.exe 1 2 2->9         started        13 chrome.exe 14 2->13         started        16 wscript.exe 2->16         started        18 4 other processes 2->18 signatures3 process4 dnsIp5 62 C:\Users\user\...\Swift Confirmation Copy.jar, Zip 9->62 dropped 98 Windows Scripting host queries suspicious COM object (likely to drop second stage) 9->98 20 javaw.exe 16 9->20         started        24 java.exe 9 9->24         started        84 192.168.2.17, 137, 138, 443 unknown unknown 13->84 86 239.255.255.250 unknown Reserved 13->86 64 C:\Users\user\...\MT103 Kotak.zip (copy), Zip 13->64 dropped 100 Downloads suspicious files via Chrome 13->100 26 chrome.exe 1 13->26         started        28 chrome.exe 1 13->28         started        30 javaw.exe 6 16->30         started        32 java.exe 3 16->32         started        34 javaw.exe 18->34         started        36 chrome.exe 18->36         started        38 2 other processes 18->38 file6 signatures7 process8 dnsIp9 70 s3-r-w.us-east-1.amazonaws.com 52.216.43.218, 443, 49730 AMAZON-02US United States 20->70 96 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 20->96 40 tasklist.exe 1 20->40         started        42 icacls.exe 1 24->42         started        44 conhost.exe 24->44         started        72 play.google.com 142.250.185.174, 443, 49720, 49751 GOOGLEUS United States 26->72 80 11 other IPs or domains 26->80 74 54.231.224.98, 443, 49736 AMAZON-02US United States 30->74 46 tasklist.exe 1 30->46         started        48 conhost.exe 32->48         started        76 52.217.197.50, 443, 49761 AMAZON-02US United States 34->76 50 tasklist.exe 34->50         started        78 142.250.185.100, 443, 49740, 49741 GOOGLEUS United States 36->78 82 2 other IPs or domains 36->82 52 conhost.exe 38->52         started        signatures10 process11 process12 54 conhost.exe 40->54         started        56 conhost.exe 42->56         started        58 conhost.exe 46->58         started        60 conhost.exe 50->60         started       

                Screenshots

                Thumbnails

                This section contains all screenshots as thumbnails, including those not shown in the slideshow.