Edit tour

Windows Analysis Report
synapse.jar

Overview

General Information

Sample Name:	synapse.jar
Analysis ID:	1312510
MD5:	6c95bdb562b241228d2743c653e90773
SHA1:	3129c168f39111f57edf765e7b58bc9d72ec38d4
SHA256:	5286e612ca35302536507939d609b47dac54b42b6c76238ab2aee60ec6204a0c
Tags:	jarnstealer
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Exploit detected, runtime environment dropped PE file

Tries to harvest and steal browser information (history, passwords, etc)

May check the online IP address of the machine

Is looking for software installed on the system

Queries the volume information (name, serial number etc) of a device

Drops PE files

Uses cacls to modify the permissions of files

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6428 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\synapse.jar"" >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6436 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

java.exe (PID: 6472 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\synapse.jar" MD5: 28733BA8C383E865338638DF5196E6FE)

icacls.exe (PID: 6532 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\InstalledSoftware.txt

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.18.114.97:443 -> 192.168.2.4:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49705 version: TLS 1.2

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-101308983\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-101308983\jna5025487326021621048.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\	Jump to behavior

Networking

May check the online IP address of the machine

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	DNS query: name: ipv4.icanhazip.com
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	DNS query: name: ipv4.icanhazip.com
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	DNS query: name: myexternalip.com

Source: unknown	Network traffic detected: HTTP traffic on port 49705 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49703 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49705
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49703

Source: java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: +https://www.youtube.com/watch?v=dQw4w9WgXcQ equals www.youtube.com (Youtube)
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -https://www.youtube.com/watch?v=dQw4w9WgXcQ equals www.youtube.com (Youtube)
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: -https://www.youtube.com/watch?v=dQw4w9WgXcQ2 equals www.youtube.com (Youtube)

Source: java.exe, 00000002.00000002.224478561.000000000A9C5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.amazonaws.com/
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000003.219822309.0000000016155000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219707818.0000000016094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225060405.000000001615C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodo.n8
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipecho.net/plain
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://myexternalip.com/raw
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.225060405.000000001609B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219707818.0000000016094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219672206.00000000159DF000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224963556.0000000015A41000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219757693.0000000015A3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000002.00000002.224478561.000000000ADAF000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B481000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html
Source: java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp, cmdlinestart.log.0.dr	String found in binary or memory: http://www.slf4j.org/codes.html#StaticLoggerBinder
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#StaticLoggerBinderth
Source: java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#loggerNameMismatch
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#loggerNameMismatcho;
Source: java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#multiple_bindings
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#multiple_bindingsriableT
Source: java.exe, 00000002.00000002.225538179.0000000018348000.00000004.00000020.00020000.00000000.sdmp, cmdlinestart.log.0.dr	String found in binary or memory: http://www.slf4j.org/codes.html#no_static_mdc_binder
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#no_static_mdc_binder;
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#no_static_mdc_binder;pBo
Source: java.exe, 00000002.00000002.220498955.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#no_static_mdc_binderS
Source: java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#null_LF
Source: java.exe, 00000002.00000002.225538179.0000000018348000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#null_MDCA
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#null_MDCAnti
Source: java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#replay
Source: java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#replay)=
Source: java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#replayWaq
Source: java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#substituteLogger
Source: java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#substituteLoggerINDER_U
Source: java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#unsuccessfulInit
Source: java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#version_mismatch
Source: java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#version_mismatch-
Source: TempFile2591.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://akrien.wtf
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/app-assets/710982414301790216/store/%s.%s
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/app-assets/710982414301790216/store/%s.%sapi/
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/%s/%s.%s
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/%s/%s.%sjda/aD
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/banners/%s/%s.%s
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/banners/%s/%s.%sda/ap
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/%s.png
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/%s.png;T
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/guild-events/%s/%s.%s
Source: java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B481000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/guilds/%s/users/%s/avatars/%s.%s
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/guilds/%s/users/%s/avatars/%s.%sngala
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/icons/%s/%s.%s
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/splashes/%s/%s.png
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/splashes/%s/%s.pnglan
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/stickers/%s.%s
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/stickers/%s.%sclass
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/stickers/%s.%sclass;
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/team-icons/%s/%s.png
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/team-icons/%s/%s.pngi
Source: TempFile2591.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: java.exe, 00000002.00000002.224478561.000000000B570000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v%d/
Source: java.exe, 00000002.00000002.220498955.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v%d/K
Source: java.exe, 00000002.00000002.225497058.0000000017FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v%d/ass
Source: java.exe, 00000002.00000002.225497058.0000000017FF0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v%d/ass_
Source: java.exe, 00000002.00000002.224478561.000000000B570000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.220498955.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10/
Source: java.exe, 00000002.00000002.220498955.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.220498955.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10/users/
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/%s/%s
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/%s/%s/%s
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/%s/%s/%ss
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/oauth2/authorize?client_id=
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/oauth2/authorize?client_id=/q;F
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/
Source: TempFile2591.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TempFile2591.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: java.exe, 00000002.00000002.220498955.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DV8FromTheWorld/JDA
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipv4.icanhazip.com/
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jda.wiki/using-jda/gateway-intents-and-member-cache-policy/
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jda.wiki/using-jda/troubleshooting/#cannot-get-message-content-attempting-to-access-message-
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intents
Source: java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support-dev.discord.com/hc/en-us/articles/4404772028055-Message-Content-Privileged-Intent-FA
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B39D000.00000004.00000800.00020000.00000000.sdmp, UserInformation.txt.2.dr, Passwords.txt.2.dr, Google_[Chrome]_Default.txt0.2.dr	String found in binary or memory: https://t.me/nyooooom
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/feed
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/id
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyhostname.com/raw/ip/
Source: TempFile2591.2.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=dQw4w9WgXcQ
Source: java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=dQw4w9WgXcQ2

Source: unknown

DNS traffic detected: queries for: ipv4.icanhazip.com

Source: global traffic

HTTP traffic detected: GET /raw HTTP/1.1User-Agent: Java/1.8.0_211Host: myexternalip.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive

Source: unknown	HTTPS traffic detected: 104.18.114.97:443 -> 192.168.2.4:49703 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49705 version: TLS 1.2

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\synapse.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\synapse.jar"
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\synapse.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6436:120:WilError_01

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll

Jump to behavior

Source: classification engine

Classification label: mal52.troj.spyw.expl.winJAR@7/20@3/3

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: java.exe, 00000002.00000002.225645836.000000006C369000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: java.exe, 00000002.00000002.225384626.0000000017886000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select * from logins;[
Source: java.exe, 00000002.00000002.225645836.000000006C369000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: java.exe, 00000002.00000002.225645836.000000006C369000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: java.exe, 00000002.00000002.225645836.000000006C369000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: java.exe, 00000002.00000002.225645836.000000006C369000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: java.exe, 00000002.00000002.225645836.000000006C369000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: java.exe, 00000002.00000002.225384626.0000000017886000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: select * from logins;
Source: java.exe, 00000002.00000003.215453059.0000000001576000.00000004.00000020.00020000.00000000.sdmp, TempFile6953.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: java.exe, 00000002.00000002.225645836.000000006C369000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.220380536.00000000016A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select * from autofill;
Source: java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: select * from cookies;

Source: synapse.jar

Static file information: File size 29321777 > 1048576

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Persistence and Installation Behavior

Exploit detected, runtime environment dropped PE file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: jna5025487326021621048.dll.2.dr

Jump to dropped file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\jna-101308983\jna5025487326021621048.dll			Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite-3.41.0.0-0b27bdb4-8039-42f2-829b-488fcd2f6819-sqlitejdbc.dll			Jump to dropped file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\InstalledSoftware.txt

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-101308983\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-101308983\jna5025487326021621048.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\	Jump to behavior

Source: java.exe, 00000002.00000003.206545671.0000000015868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.206545671.0000000015868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.220418217.0000000003240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.220418217.0000000003240000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.206545671.0000000015868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000003.206545671.0000000015868000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.220328221.00000000014EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\synapse.jar"			Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	1 Exploitation for Client Execution	1 Services File Permissions Weakness	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	1 Services File Permissions Weakness	1 Disable or Modify Tools	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	11 Process Injection	Security Account Manager	1 Remote System Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	1 Services File Permissions Weakness	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	Software Packing	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	Steganography	Cached Domain Credentials	22 System Information Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
synapse.jar	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\jna-101308983\jna5025487326021621048.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\sqlite-3.41.0.0-0b27bdb4-8039-42f2-829b-488fcd2f6819-sqlitejdbc.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://discord.com/api/v10/	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://support-dev.discord.com/hc/en-us/articles/4404772028055-Message-Content-Privileged-Intent-FA	0%	Avira URL Cloud	safe
https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intents	0%	Avira URL Cloud	safe
https://discord.com/oauth2/authorize?client_id=	0%	Avira URL Cloud	safe
https://whatismyhostname.com/raw/ip/	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class2.crl0	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl0	0%	Avira URL Cloud	safe
http://policy.camerfirma.com0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class3P.crl0	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class2.crl	0%	Avira URL Cloud	safe
https://akrien.wtf	0%	Avira URL Cloud	safe
https://discord.com/channels/%s/%s	0%	Avira URL Cloud	safe
https://discord.com/channels/%s/%s/%s	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	Avira URL Cloud	safe
http://bugreport.sun.com/bugreport/	0%	Avira URL Cloud	safe
http://crl.securetrust.com/STCA.crl	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersroot.html	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class3P.crl	0%	Avira URL Cloud	safe
http://ipecho.net/plain	0%	Avira URL Cloud	safe
https://discord.com/api/v%d/	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://discord.com/channels/%s/%s/%ss	0%	Avira URL Cloud	safe
https://jda.wiki/using-jda/troubleshooting/#cannot-get-message-content-attempting-to-access-message-	0%	Avira URL Cloud	safe
https://discord.com/api/v%d/K	0%	Avira URL Cloud	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	Avira URL Cloud	safe
https://discord.gg/	0%	Avira URL Cloud	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
http://www.chambersign.org	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	Avira URL Cloud	safe
http://crl.securetrust.com/STCA.crl0	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl	0%	Avira URL Cloud	safe
http://crl.comodo.n8	0%	Avira URL Cloud	safe
https://discord.com/api/v10/users/	0%	Avira URL Cloud	safe
https://jda.wiki/using-jda/gateway-intents-and-member-cache-policy/	0%	Avira URL Cloud	safe
https://discord.com/oauth2/authorize?client_id=/q;F	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipv4.icanhazip.com	104.18.114.97	true	false	high
myexternalip.com	34.160.111.145	true	false	high
discord.com	162.159.138.232	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://myexternalip.com/raw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	false		high
https://cdn.discordapp.com/stickers/%s.%s	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	TempFile2591.2.dr	false		high
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#version_mismatch-	java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com	java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intents	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/stickers/%s.%sclass	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://support-dev.discord.com/hc/en-us/articles/4404772028055-Message-Content-Privileged-Intent-FA	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class2.crl0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.amazonaws.com/	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/guild-events/%s/%s.%s	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#multiple_bindings	java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v10/	java.exe, 00000002.00000002.224478561.000000000B570000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.220498955.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/oauth2/authorize?client_id=	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#replay)=	java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://whatismyhostname.com/raw/ip/	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.youtube.com/watch?v=dQw4w9WgXcQ2	java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.certplus.com/CRL/class2.crl	java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://akrien.wtf	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/channels/%s/%s	java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000002.00000002.224478561.000000000A9C5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.225060405.000000001609B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219707818.0000000016094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219672206.00000000159DF000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224963556.0000000015A41000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219757693.0000000015A3A000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	TempFile2591.2.dr	false		high
http://www.slf4j.org/codes.html#replayWaq	java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	false		high
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ipecho.net/plain	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/favicon.ico	TempFile2591.2.dr	false		high
http://www.certplus.com/CRL/class3P.crl	java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#substituteLogger	java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#multiple_bindingsriableT	java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/channels/%s/%s/%s	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#substituteLoggerINDER_U	java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#StaticLoggerBinder	java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp, cmdlinestart.log.0.dr	false		high
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/team-icons/%s/%s.png	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v%d/	java.exe, 00000002.00000002.224478561.000000000B570000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/stickers/%s.%sclass;	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#no_static_mdc_binder;pBo	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ipv4.icanhazip.com/	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#loggerNameMismatcho;	java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/channels/%s/%s/%ss	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/guilds/%s/users/%s/avatars/%s.%s	java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B481000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://t.me/nyooooom	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B39D000.00000004.00000800.00020000.00000000.sdmp, UserInformation.txt.2.dr, Passwords.txt.2.dr, Google_[Chrome]_Default.txt0.2.dr	false		high
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.gg/	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jda.wiki/using-jda/troubleshooting/#cannot-get-message-content-attempting-to-access-message-	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com?fr=crmas_sfpf	java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	false		high
http://policy.camerfirma.com	java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/team-icons/%s/%s.pngi	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/splashes/%s/%s.pnglan	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#unsuccessfulInit	java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/banners/%s/%s.%s	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#null_MDCA	java.exe, 00000002.00000002.225538179.0000000018348000.00000004.00000020.00020000.00000000.sdmp	false		high
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl	java.exe, 00000002.00000002.224478561.000000000AC86000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#no_static_mdc_binder	java.exe, 00000002.00000002.225538179.0000000018348000.00000004.00000020.00020000.00000000.sdmp, cmdlinestart.log.0.dr	false		high
https://cdn.discordapp.com/splashes/%s/%s.png	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#loggerNameMismatch	java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	java.exe, 00000002.00000002.224478561.000000000AB88000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v%d/K	java.exe, 00000002.00000002.220498955.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/embed/avatars/%s.png	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false		high
https://www.youtube.com/watch?v=dQw4w9WgXcQ	java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
https://vk.com/id	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#replay	java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	java.exe, 00000002.00000002.224478561.000000000ADAF000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#no_static_mdc_binderS	java.exe, 00000002.00000002.220498955.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.ipify.org/	java.exe, 00000002.00000002.224478561.000000000A9D5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.comodo.n8	java.exe, 00000002.00000003.219822309.0000000016155000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219707818.0000000016094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225060405.000000001615C000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v10/users/	java.exe, 00000002.00000002.220498955.0000000005B4A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.220498955.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/app-assets/710982414301790216/store/%s.%sapi/	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219783091.00000000181F4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225532433.00000000181FB000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#StaticLoggerBinderth	java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/	java.exe, 00000002.00000003.219334197.0000000017094000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000017094000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/banners/%s/%s.%sda/ap	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	false		high
https://cdn.discordapp.com/guilds/%s/users/%s/avatars/%s.%sngala	java.exe, 00000002.00000003.219334197.0000000016EA1000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219429172.0000000016F29000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225274188.0000000016F4A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219789112.0000000016F43000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps	java.exe, 00000002.00000002.224478561.000000000AC24000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/avatars/%s/%s.%sjda/aD	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/DV8FromTheWorld/JDA	java.exe, 00000002.00000002.220498955.0000000005B41000.00000004.00000800.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	TempFile2591.2.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	java.exe, 00000002.00000003.216458260.0000000001580000.00000004.00000020.00020000.00000000.sdmp, TempFile2591.2.dr	false		high
https://jda.wiki/using-jda/gateway-intents-and-member-cache-policy/	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#null_MDCAnti	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#no_static_mdc_binder;	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/app-assets/710982414301790216/store/%s.%s	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219625630.0000000018248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219582523.0000000018232000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225538179.0000000018257000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.224478561.000000000B511000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/oauth2/authorize?client_id=/q;F	java.exe, 00000002.00000003.219466967.0000000018070000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.225511942.000000001807F000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.138.232	discord.com	United States	13335	CLOUDFLARENETUS	false
34.160.111.145	myexternalip.com	United States	2686	ATGS-MMD-ASUS	false
104.18.114.97	ipv4.icanhazip.com	United States	13335	CLOUDFLARENETUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1312510
Start date and time:	2023-09-21 18:55:20 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 23s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled HDC enabled GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	synapse.jar
Detection:	MAL
Classification:	mal52.troj.spyw.expl.winJAR@7/20@3/3
EGA Information:	Failed
HDC Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
Cookbook Comments:	Found application associated with file extension: .jar Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target java.exe, PID 6472 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Reached maximum number of file to list during submission archive extraction
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: synapse.jar

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.911322908673849
Encrypted:	false
SSDEEP:	3:oFj4I5vpN6yUQD/Ekv:oJ5X6yYkv
MD5:	3DCCC9AB7D3643BEDF9B580D6C458CD2
SHA1:	382AEAE53D4598F63C7C10ACDF09D317C9561736
SHA-256:	E4716FAA65DC7179090CFDF78DC0A577A32BC0523E8DA909A4C58E503E863ABF
SHA-512:	9C2DBE2213DA7585917084A2C86A33482CD423AE634BF7B91C2090F72383CEB208C931D7057B92A058D7DAEF1EB13176D752EEA4F010D68682822405228D324F
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre1.8.0_211..1695315372184..

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7].zip

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	652805
Entropy (8bit):	7.996723123042456
Encrypted:	true
SSDEEP:	12288:suXJbbHS0afgK3SCNkVhV3nJwqy7hn+32K165eGp0vdgb8LP/LbHlWBAW:s2TzMgXbVhVJwqyhn02nSvabgLu
MD5:	049719812BA2260C08D45BD86CD55C1B
SHA1:	38B8068C11B1C56EB5B6D1C02E66D64B7F478A7C
SHA-256:	880119A086106CA80AC7CB75DD013208F470E9F1BDE5806F87D364E15B4228E1
SHA-512:	7DFEB5D4D6B9A62E616A8E8AACE42EF3106BCC6DCC6791B7DEB81F283415F25FEAC3A3C1FCB485DD62E32B8EE146A19121E5CAC65A70EA290FA3E7FF82499922
Malicious:	false
Reputation:	low
Preview:	PK..........5W............/...US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]/Autofills/PK..........5W/..h........J...US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]/Autofills/Google_[Chrome]_Default.txt.O.j.0.\|.......Q...-....8%I3...Jr..2....I'.D...6.u....Ju0......3.:...p(.....U'O...uG.>.zsDt..r]J...5N...........aT...[...?...(."....+.O..;.....Xd.#YV..d\|\.,...h9.B.2:....s../.q.....r.v...PK..........5W............-...US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]/Cookies/PK..........5W.......I...H...US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]/Cookies/Google_[Chrome]_Default.txt.T.n.H.}&R~#/-.U.%?........Xm...ll.?~.23..H...TR...=..:.v.e..d...J.d..o.D.@.U@...A$i.....L...8..A...o..+6.\|.%..<..Z..olt}\5..9qVK.........G(....0c.1.\|...Hx....a...4M.Y.....(D.2....I.F.k.}.2.d.X`n........&..)}....e..$....@..>.E(.........0".SLc.2.h7p{...RD....C...8.@.!J.q....zyq.n.v.4d..D8[.i.i[$.....N.V"..P..R%.R..B.Y....,.j....4.0%Q.....\|....`.S........`..Y....-..>s.....>......1.(...QJr5e...T....I.z.._.b.1j+[#..W._.P.1P...

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Autofills\Google_[Chrome]_Default.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	457
Entropy (8bit):	3.0767031796169326
Encrypted:	false
SSDEEP:	6:j/GWiRKYiwSb35FihOSjeXu47y9BcgbK/RAJ6ocrOCHylyIhzYlKdN35Ag:j/S8bL9ceXD2z3K/RA0VXS8IYlKr3/
MD5:	126F55A8D64B24CCF78CC83D79352D66
SHA1:	B375FE51FBBF2F4885B4A85166ABF2C6FA1EA040
SHA-256:	6B91C31314C424EA366911DACD075D5A29F0E3216EB057134256D4C99F2285F9
SHA-512:	D2CD4EC87E3BD310268D4A14AF66C270269A4CFC9C2158CF8907CB1EDBD02C86455674A6A8126BEB246F5CDE956F0FAF3563BAE6E70E66D6BB92CA1DFC34B1A0
Malicious:	false
Reputation:	low
Preview:	// _ _ ..// \| \| \| \| ..// _ __ ___ \| \|_ ___ __ _ \| \| ___ _ __ ..// \| '_ \ / __\|\| __\| / _ \ / _` \|\| \| / _ \\| '__\|..// \| \| \| \|\__ \\| \|_ \| __/\| (_\| \|\| \|\| __/\| \| ..// \|_\| \|_\|\|___/ \__\| \___\| \__,_\|\|_\| \___\|\|_\| ..// ..// nstealer v2 aka "java redline"..// developed by https://t.me/nyooooom // mvdua (new discord) // noom....

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Cookies\Google_[Chrome]_Default.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1609
Entropy (8bit):	5.814284691029822
Encrypted:	false
SSDEEP:	48:VN/sLIxFcw7vxIxRcw75xiUS7Nz9pLhnozHpIxlxPv:f08x++vxIxS+5xip7NzVoz+xlxX
MD5:	F8AB673DA6D665FEC147D2566540249B
SHA1:	CFA73C8F2B48D66E5241D0C2515D6DD90BF36B36
SHA-256:	E11420754A34F338CD78B90DF22CBC9693B5766DB6E4A34A53EC78D54C96D0A7
SHA-512:	92EAFB35B143F942AAA8BA54EC693CC9E46DD3DF3A1A03E49BE2F541C914008E674193D71ED71904880994C2A8EDCED528DD47514400AF328031EA3B77248414
Malicious:	false
Reputation:	low
Preview:	.google.com.TRUE./.TRUE.13351689060586313.AEC.Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA...google.com.FALSE./.TRUE.13370697060586477.CONSENT.PENDING+494..www.google.com.FALSE./.FALSE.13336137672000000.DV.Uw-QAWGHFCMcQIF0XFQkBViNIwrwnRg...google.com.FALSE./.FALSE.13336147869673553.GOOGLE_ABUSE_EXEMPTION.ID=743584646b6d7876:TM=1691663507:C=r:IP=84.17.52.38-:S=tthyMI8Cvn5vO7C4FE_Vh3U...microsoft.com.FALSE./.TRUE.13367673075667039.MC1.GUID=762ed1c63ceb49b49cb46dba465abf5d&HASH=762e&LV=202308&V=4&LU=1691663513605...microsoft.com.FALSE./.TRUE.13336138875667106.MS0.422da71b383d453fad5f9d7c2bd69b73..dotnet.microsoft.com.FALSE./.TRUE.13367673075943443.MSFPC.GUID=762ed1c63ceb49b49cb46dba465abf5d&HASH=762e&LV=202308&V=4&LU=1691663513605..dotnet.microsoft.com.FALSE./.TRUE.13367673076444095.MicrosoftApplicationsTelemetryDeviceId.82a40d28-864b-41fe-a279-21bff0443578...google.com.FALSE./.TRUE.13370265071547480.SOCS.CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg..www.google.com

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\InstalledSoftware.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3161
Entropy (8bit):	5.138853334349859
Encrypted:	false
SSDEEP:	96:IfDzLNpOJKiDplOdMY84uR/1npIeO9wv0xqwqWtOPPSJ3Iq2OzSTVJS4ep48TuNC:6yQyRfnR/XLTV8qNWMIN
MD5:	55B581415A2A38861B375941712680E1
SHA1:	59925274A6BA3DD0377F9217EB0A91CF9F98689F
SHA-256:	65BF273FDB056A011E143368D0471B1F781AE783688921522876ECA56655CFC2
SHA-512:	71C05C435F5AB8B052817082F0C8DD4E52550F67C9583ECDA7F9A2160E201B1D18720F70A3AEB78570A7BD3B4B6B78C168BA7591FF3E93D0D65CD0942FC89083
Malicious:	false
Reputation:	low
Preview:	// _ _ ..// \| \| \| \| ..// _ __ ___ \| \|_ ___ __ _ \| \| ___ _ __ ..// \| '_ \ / __\|\| __\| / _ \ / _` \|\| \| / _ \\| '__\|..// \| \| \| \|\__ \\| \|_ \| __/\| (_\| \|\| \|\| __/\| \| ..// \|_\| \|_\|\|___/ \__\| \___\| \__,_\|\|_\| \___\|\|_\| ..// ..// nstealer v2 aka "java redline"..// developed by https://t.me/nyooooom // mvdua (new discord) // noom....1) Google.Chrome [115.0.5790.171]..2) Microsoft Office Professional Plus 2016 [16.0.4266.1001]..3) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 [12.0.30501.0]..4) Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 [12.0.21005]..5) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 [10.0.30319]..6) Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 [14.21.27702]..7) Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 [14.21.27702]..8) Java 8 Update 211 [8.0.2110.12]..9) Microsoft Visual

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Passwords.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	457
Entropy (8bit):	3.0767031796169326
Encrypted:	false
SSDEEP:	6:j/GWiRKYiwSb35FihOSjeXu47y9BcgbK/RAJ6ocrOCHylyIhzYlKdN35Ag:j/S8bL9ceXD2z3K/RA0VXS8IYlKr3/
MD5:	126F55A8D64B24CCF78CC83D79352D66
SHA1:	B375FE51FBBF2F4885B4A85166ABF2C6FA1EA040
SHA-256:	6B91C31314C424EA366911DACD075D5A29F0E3216EB057134256D4C99F2285F9
SHA-512:	D2CD4EC87E3BD310268D4A14AF66C270269A4CFC9C2158CF8907CB1EDBD02C86455674A6A8126BEB246F5CDE956F0FAF3563BAE6E70E66D6BB92CA1DFC34B1A0
Malicious:	false
Reputation:	low
Preview:	// _ _ ..// \| \| \| \| ..// _ __ ___ \| \|_ ___ __ _ \| \| ___ _ __ ..// \| '_ \ / __\|\| __\| / _ \ / _` \|\| \| / _ \\| '__\|..// \| \| \| \|\__ \\| \|_ \| __/\| (_\| \|\| \|\| __/\| \| ..// \|_\| \|_\|\|___/ \__\| \___\| \__,_\|\|_\| \___\|\|_\| ..// ..// nstealer v2 aka "java redline"..// developed by https://t.me/nyooooom // mvdua (new discord) // noom....

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Screenshot.png

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	651519
Entropy (8bit):	7.947493230798117
Encrypted:	false
SSDEEP:	12288:X1jFPLkS0efgQhS6lkmDDQaa9w7hnVLmaJ9raH+KacK0UFrDGxGh0jFkImT1:zLuggBRmPVu6hnVL/QZIhqkIk
MD5:	F6B2A6CD9C426539AD47F90512BD578E
SHA1:	B478A932A1187D86D2F8D238CB02AE5375A586BD
SHA-256:	40B6D8AD074D1EF95F65629D16434639C18910B3D1F271C0B5A766A9EAB8320A
SHA-512:	FB4169C69C780A081B56726BFF222B3AF973C5664F4695D2300A5EFDB7FD8C1A1F66D3D373290765432A86579614886B187DEF061E3C6C48428A81804EAC1EAA
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............1.c.....IDATx......E.8...........KP.. ..aI"~...w..w.q..xz..,"...."...;...3.D.Df...{.+uUwuO.l..<.lOow.Lw....7..o..~0:......2.....t9..l....R....L%...`T........:"..o....j..N..2Y'...T.q....]...l`.....8..#........3....;....lP>.K..@=...E...#...vrCe.;..v...8......P.:{.P+.G.F.}s.@.ow?....6.`.`..PA>I...hH..n..[...~#..Y(Zu..".?.....Y..)...'./...p..g...S...".`.>..{......p.\|..........h.n#....tc..X_t....."[=F+.V.}4.c.;.5(E.8'.[...r>..6.......i..fU.aC...F......P...5...n..>A..F...i.V........u0.J#........V.."....U^^~.g....m5).F.-...#jq...^..0......B..G...`........p....._.`C......7..Z...0....p....b.l.l.l.\l......d.....6.`.8..H...\|.U.L.._.......3...2.;.....+......3P........`.U.?..MH.4.(0.C.8..".;......Y..,j...`.$`....M5@.......U.Z.....d.-0.~i.X.......R..@.H?.....`....`.e...M..I..........R\|.f.K,.{.R.`.O.:....:.../.(<.....8d_n.....,.S.`...mD...g...`...............h*h0.....2.. .FLa...........{?..w.ft.....w^?0.oV.....c....7...h

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile12469

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile23514

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile25775

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile2591

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2861458126645597
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJxz6zVucbj8Ewn7PrH944:gS/inRQVucbj8Ewn7b944
MD5:	13A67FCABA59E4D6CE4CBC1DA50B72A8
SHA1:	3974D2F90220322108483CEF19601AA09972C3F5
SHA-256:	7BD3F40AE06D965E1C4E98D8EF2EEB00A18DD93F934ADF9F16BC682B63CD8927
SHA-512:	A07327C16463A7DF4C76DC2A682E949CF898BBC2211EFA7E4F917E13DE4BB1C0C98923B8827E191BBBC2D42FF976748D3C6C86A8A5080008BD95ABC69DDD374F
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile29003

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile38442

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 11, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	1.525382148408982
Encrypted:	false
SSDEEP:	96:oe8To9Eapxv//u29ikqnXxa3Itq273BzkTDnw3:o3IpV//u2QZo27V
MD5:	BAD7730F6FDE1661858D7C76366933B1
SHA1:	7679157DBA24CF0FD2DC03AE73611B04227EF8A5
SHA-256:	9F5A853FAB80EF233F4382B3B07412D1077AF8985222BBF701C8A824BEE22AFB
SHA-512:	B1B1E0C534D96138F8752936776C3A7FD08100C99B04C55A0D7F22D0688868829C784C34F319A9FBC8F18F54DEFC7E7B07C9E40734C7C48882FE0BDEC3C66E5E
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile42582

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile6953

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\UserInformation.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	695
Entropy (8bit):	4.332482075728489
Encrypted:	false
SSDEEP:	12:j/S8bL9ceXD2z3K/RA0VXS8IYlKr32yvQXOiKBfJh0mdLAB3XUWUT4OD:bXb5DF//VXSoKrGqQXdKpJmuAFjUT4OD
MD5:	E82AD007C41604D20DB7F5EEAF341C65
SHA1:	9044FEED31D9A617ABDAC804D2DAA79B5E9557B9
SHA-256:	8F3D3DCB65FC3EF3F364DBE82A6BBA0C640239E7E15EE4D7CA3426E07799E766
SHA-512:	947602C895CCACD5518B98A553A2DDD93DCCAAE24239458D344FD0F3C695E6DBCB00BDA56DC290ECBBD03ABBDCC3680692F6F2DB59EFA4B4D3F12C8F9BF1A8DA
Malicious:	false
Reputation:	low
Preview:	// _ _ ..// \| \| \| \| ..// _ __ ___ \| \|_ ___ __ _ \| \| ___ _ __ ..// \| '_ \ / __\|\| __\| / _ \ / _` \|\| \| / _ \\| '__\|..// \| \| \| \|\__ \\| \|_ \| __/\| (_\| \|\| \|\| __/\| \| ..// \|_\| \|_\|\|___/ \__\| \___\| \__,_\|\|_\| \___\|\|_\| ..// ..// nstealer v2 aka "java redline"..// developed by https://t.me/nyooooom // mvdua (new discord) // noom....Operation System: win10-x86..Current JarFile Path: C:/Users/user/Desktop/synapse.jar..UserName: user..IP: 154.16.105.31..TimeZone: 2023-09-21T18:56:14.809+02:00 [Europe/Berlin]..Width: 1280.0, Height: 1024.0..Language & Country: en_US..

C:\Users\user\AppData\Local\Temp\jna-101308983\jna5025487326021621048.dll

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.575564255266613
Encrypted:	false
SSDEEP:	3072:hsYkXwUGMpSFif9jejzCvjrEt1++W9WCrHudSzoNyLXX4Fv/IK9znaTsXvXs9GT5:hFLNmyjzss1++kQCo2XM5vXs9GTqZc
MD5:	676F82A561FAFEEC6D8CF6D8319DEE2D
SHA1:	01759BB9E7DD8513C1D25BAFF2C8AB3298DB720D
SHA-256:	1B06CBA48EEA2AD4881BC88A2749E40500DBC87C1A2149290EB61D473A64E4C1
SHA-512:	6E9F4087A49CB15203A6A478C6F3422276018F269ED85833AF6F203604C60C6C443298734CDE217E8DF18EBB932994AAAA3BC794A36419EEBCC4310CAABFB826
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!:..@T..@T..@T..(W..@T..(Q.S@T..(P..@T..4Q..@T..4P..@T..4W..@T..(U..@T..@U..@T..4W..@T..@T..@T..4P..@T..4T..@T..4V..@T.Rich.@T.........PE..L...6..c...........!.....N..........?R.......`............................................@.............................T...$...<....@.......................P... ..\|...................................@............`..0............................text....M.......N.................. ..`.rdata...\|...`...~...R..............@..@.data...\Q.......D..................@....rsrc........@......................@....reloc... ...P..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqlite-3.41.0.0-0b27bdb4-8039-42f2-829b-488fcd2f6819-sqlitejdbc.dll

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	860672
Entropy (8bit):	6.572639421617908
Encrypted:	false
SSDEEP:	24576:0S4aTP2hld8MBIeoLB9m1poRRga3tXP0SXOD6dWb94:06TP2hldnBIet1poRn3tXPLob
MD5:	B1A60869B21047ABE4F85BA353E53856
SHA1:	A7F1769A42C96382A07BD60ED000B2302575E049
SHA-256:	6E9121D4A825F568D78C79F2A3E9819A664C3B0C45B69EDC96EE5958E89E6B48
SHA-512:	56D357B6195B0EAFC7172672CE7A10503E334787DEFD7D1317B0CB60341DEC3EC711C6686CAB3E0A73152386399292732EC1A2CF2FD2E865A37C794B5E124614
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...$.N...................`....xf.........................p......j.....@... ..............................................................0..<?..........................d.......................8................................text....L.......N..................`.P`.data....&...`...(...R..............@.`..rdata...G.......H...z..............@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls......... ......................@.0..reloc..<?...0...@..................@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Reputation:	low
Preview:	........................................J2SE.

C:\cmdlinestart.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6440
Entropy (8bit):	5.066656235182196
Encrypted:	false
SSDEEP:	96:gG6Muh/xXWw74M3O+6ZDeYXz0MDTZItTtufc0xXWw7i:Y5dxX374ATKDeq0QTZIRtufxX37i
MD5:	60EFB4DFF8FA0CAD5597A5362FBD075D
SHA1:	1926A8D94E752E4BFF3BE6106C637B87FCBEE3B9
SHA-256:	290426021E567950346DC991A396D25616F7393196D283E2F0AD1DB2667494C0
SHA-512:	040BA40B2CCDBE07A9741BF2CA738CA5BA5685B13A461579B81C35F6167EA0E3E09F9493330458D6D513CD3D836CE69B5BD390831B05976110E14AB5386BC757
Malicious:	false
Reputation:	low
Preview:	SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder"...SLF4J: Defaulting to no-operation (NOP) logger implementation..SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details...SLF4J: Failed to load class "org.slf4j.impl.StaticMDCBinder"...SLF4J: Defaulting to no-operation MDCAdapter implementation...SLF4J: See http://www.slf4j.org/codes.html#no_static_mdc_binder for further details...[JDA RateLimit-Worker 1] ERROR Requester - There was an I/O error while executing a REST request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target..net.dv8tion.jda.api.exceptions.ErrorResponseException: -1: javax.net.ssl.SSLHandshakeException...at net.dv8tion.jda.internal.requests.RestActionImpl.complete(RestActionImpl.java:230)...at net.dv8tion.jda.api.requests.RestAction.complete(RestAction.java:632)...at net.dv8tion.jda.internal

Static File Info

General

File type:	Java archive data (JAR)
Entropy (8bit):	7.978871677017016
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	synapse.jar
File size:	29'321'777 bytes
MD5:	6c95bdb562b241228d2743c653e90773
SHA1:	3129c168f39111f57edf765e7b58bc9d72ec38d4
SHA256:	5286e612ca35302536507939d609b47dac54b42b6c76238ab2aee60ec6204a0c
SHA512:	adb9081d61b2eef3d4a253bd64ce2736d1b9b20636c2120e00b598f983ef2f4b3542b019a534e980a50363db4dd7a249f2073c4889eda8e70af9da6f1ac08bba
SSDEEP:	786432:hoh5zr5Ses3GcykJhowXsI+fVZk4JtxFm9lI46rJFSp204xtoH:hc1r5Bs3dhoPD9ZLDeirrSgpts
TLSH:	BF571210F64B5960C75B753ABAEF0E41BC31A7DDC486C15F21F474898DF2AD0872AB2A
File Content Preview:	PK..........#W...w....k...?...org/apache/http/impl/execchain/noom1337/ProguardPenitBlya.class.....8y\|.E.o:m.#...."Up.Z.+...(..*.E...P..JS..aY.M)...>.....I..v..'.....0w.........7..h...?.\|....y..y3..\|....>.XJN.xD../P.)../../.E..............E.FH.../Y.P..(...

File Icon


Icon Hash:	d08c8e8ea2868a54

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2023 18:56:14.821162939 CEST	49703	443	192.168.2.4	104.18.114.97
Sep 21, 2023 18:56:14.821234941 CEST	443	49703	104.18.114.97	192.168.2.4
Sep 21, 2023 18:56:14.821336985 CEST	49703	443	192.168.2.4	104.18.114.97
Sep 21, 2023 18:56:14.972183943 CEST	49703	443	192.168.2.4	104.18.114.97
Sep 21, 2023 18:56:14.972281933 CEST	443	49703	104.18.114.97	192.168.2.4
Sep 21, 2023 18:56:15.304929018 CEST	443	49703	104.18.114.97	192.168.2.4
Sep 21, 2023 18:56:15.305229902 CEST	49703	443	192.168.2.4	104.18.114.97
Sep 21, 2023 18:56:15.361345053 CEST	49703	443	192.168.2.4	104.18.114.97
Sep 21, 2023 18:56:15.361409903 CEST	443	49703	104.18.114.97	192.168.2.4
Sep 21, 2023 18:56:15.361768007 CEST	49703	443	192.168.2.4	104.18.114.97
Sep 21, 2023 18:56:15.361771107 CEST	443	49703	104.18.114.97	192.168.2.4
Sep 21, 2023 18:56:15.361798048 CEST	443	49703	104.18.114.97	192.168.2.4
Sep 21, 2023 18:56:15.361829996 CEST	49703	443	192.168.2.4	104.18.114.97
Sep 21, 2023 18:56:15.542469025 CEST	49704	80	192.168.2.4	34.160.111.145
Sep 21, 2023 18:56:15.715317011 CEST	80	49704	34.160.111.145	192.168.2.4
Sep 21, 2023 18:56:15.715667009 CEST	49704	80	192.168.2.4	34.160.111.145
Sep 21, 2023 18:56:15.723278046 CEST	49704	80	192.168.2.4	34.160.111.145
Sep 21, 2023 18:56:15.896085978 CEST	80	49704	34.160.111.145	192.168.2.4
Sep 21, 2023 18:56:15.937639952 CEST	80	49704	34.160.111.145	192.168.2.4
Sep 21, 2023 18:56:15.984579086 CEST	49704	80	192.168.2.4	34.160.111.145
Sep 21, 2023 18:56:18.142852068 CEST	49705	443	192.168.2.4	162.159.138.232
Sep 21, 2023 18:56:18.142899990 CEST	443	49705	162.159.138.232	192.168.2.4
Sep 21, 2023 18:56:18.142966986 CEST	49705	443	192.168.2.4	162.159.138.232
Sep 21, 2023 18:56:18.177639008 CEST	49705	443	192.168.2.4	162.159.138.232
Sep 21, 2023 18:56:18.177670002 CEST	443	49705	162.159.138.232	192.168.2.4
Sep 21, 2023 18:56:18.497543097 CEST	443	49705	162.159.138.232	192.168.2.4
Sep 21, 2023 18:56:18.497684956 CEST	49705	443	192.168.2.4	162.159.138.232
Sep 21, 2023 18:56:18.499666929 CEST	49705	443	192.168.2.4	162.159.138.232
Sep 21, 2023 18:56:18.499677896 CEST	443	49705	162.159.138.232	192.168.2.4
Sep 21, 2023 18:56:18.499748945 CEST	49705	443	192.168.2.4	162.159.138.232
Sep 21, 2023 18:56:18.499869108 CEST	443	49705	162.159.138.232	192.168.2.4
Sep 21, 2023 18:56:18.499918938 CEST	49705	443	192.168.2.4	162.159.138.232
Sep 21, 2023 18:56:21.610009909 CEST	49704	80	192.168.2.4	34.160.111.145

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2023 18:56:14.631359100 CEST	63315	53	192.168.2.4	8.8.8.8
Sep 21, 2023 18:56:14.815562963 CEST	53	63315	8.8.8.8	192.168.2.4
Sep 21, 2023 18:56:15.367604017 CEST	62265	53	192.168.2.4	8.8.8.8
Sep 21, 2023 18:56:15.539541960 CEST	53	62265	8.8.8.8	192.168.2.4
Sep 21, 2023 18:56:17.940965891 CEST	60838	53	192.168.2.4	8.8.8.8
Sep 21, 2023 18:56:18.125756979 CEST	53	60838	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 21, 2023 18:56:14.631359100 CEST	192.168.2.4	8.8.8.8	0x74d9	Standard query (0)	ipv4.icanhazip.com	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:15.367604017 CEST	192.168.2.4	8.8.8.8	0xced1	Standard query (0)	myexternalip.com	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:17.940965891 CEST	192.168.2.4	8.8.8.8	0xef03	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 21, 2023 18:56:14.815562963 CEST	8.8.8.8	192.168.2.4	0x74d9	No error (0)	ipv4.icanhazip.com	104.18.114.97	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:14.815562963 CEST	8.8.8.8	192.168.2.4	0x74d9	No error (0)	ipv4.icanhazip.com	104.18.115.97	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:15.539541960 CEST	8.8.8.8	192.168.2.4	0xced1	No error (0)	myexternalip.com	34.160.111.145	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:18.125756979 CEST	8.8.8.8	192.168.2.4	0xef03	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:18.125756979 CEST	8.8.8.8	192.168.2.4	0xef03	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:18.125756979 CEST	8.8.8.8	192.168.2.4	0xef03	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:18.125756979 CEST	8.8.8.8	192.168.2.4	0xef03	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Sep 21, 2023 18:56:18.125756979 CEST	8.8.8.8	192.168.2.4	0xef03	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

myexternalip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49704	34.160.111.145	80	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Timestamp	kBytes transferred	Direction	Data
Sep 21, 2023 18:56:15.723278046 CEST	97	OUT	GET /raw HTTP/1.1 User-Agent: Java/1.8.0_211 Host: myexternalip.com Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2 Connection: keep-alive
Sep 21, 2023 18:56:15.937639952 CEST	97	IN	HTTP/1.1 200 OK server: istio-envoy date: Thu, 21 Sep 2023 16:56:15 GMT content-type: text/plain; charset=utf-8 Content-Length: 13 access-control-allow-origin: * x-envoy-upstream-service-time: 0 strict-transport-security: max-age=2592000; includeSubDomains Via: 1.1 google Data Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 31 Data Ascii: 154.16.105.31

Target ID:	0
Start time:	18:56:11
Start date:	21/09/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\synapse.jar"" >> C:\cmdlinestart.log 2>&1
Imagebase:	0xc30000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	18:56:11
Start date:	21/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6bab10000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	18:56:11
Start date:	21/09/2023
Path:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\synapse.jar"
Imagebase:	0xd70000
File size:	192'376 bytes
MD5 hash:	28733BA8C383E865338638DF5196E6FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Java
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	18:56:12
Start date:	21/09/2023
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x11a0000
File size:	29'696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	18:56:12
Start date:	21/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6bab10000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Chronological Activities

Disassembly

⊘No disassembly

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report synapse.jar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7].zip

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Autofills\Google_[Chrome]_Default.txt

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Cookies\Google_[Chrome]_Default.txt

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\InstalledSoftware.txt

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Passwords.txt

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Screenshot.png

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile12469

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile23514

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile25775

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile2591

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile29003

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile38442

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile42582

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile6953

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\UserInformation.txt

C:\Users\user\AppData\Local\Temp\jna-101308983\jna5025487326021621048.dll

C:\Users\user\AppData\Local\Temp\sqlite-3.41.0.0-0b27bdb4-8039-42f2-829b-488fcd2f6819-sqlitejdbc.dll

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\cmdlinestart.log

Static File Info

General

File Icon

Windows Analysis Report
synapse.jar