Edit tour

Windows Analysis Report
6XAaqIWeJt.jar

Overview

General Information

Sample Name:	6XAaqIWeJt.jar
Original Sample Name:	5286e612ca35302536507939d609b47dac54b42b6c76238ab2aee60ec6204a0c.jar
Analysis ID:	1312575
MD5:	6c95bdb562b241228d2743c653e90773
SHA1:	3129c168f39111f57edf765e7b58bc9d72ec38d4
SHA256:	5286e612ca35302536507939d609b47dac54b42b6c76238ab2aee60ec6204a0c
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Exploit detected, runtime environment dropped PE file

Tries to harvest and steal browser information (history, passwords, etc)

May check the online IP address of the machine

Is looking for software installed on the system

Queries the volume information (name, serial number etc) of a device

Drops PE files

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Contains functionality to detect virtual machines (SLDT)

Sample execution stops while process was sleeping (likely an evasion)

Creates a process in suspended mode (likely to inject code)

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6860 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\6XAaqIWeJt.jar"" >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)

conhost.exe (PID: 6868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

java.exe (PID: 6908 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\6XAaqIWeJt.jar" MD5: 28733BA8C383E865338638DF5196E6FE)

icacls.exe (PID: 6964 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)

conhost.exe (PID: 6972 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

⊘No yara matches

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\InstalledSoftware.txt

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: unknown	HTTPS traffic detected: 104.18.115.97:443 -> 192.168.2.4:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49710 version: TLS 1.2

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-101308983\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-101308983\jna5476903323984237763.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\	Jump to behavior

Networking

May check the online IP address of the machine

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	DNS query: name: ipv4.icanhazip.com
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	DNS query: name: ipv4.icanhazip.com
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	DNS query: name: myexternalip.com

Source: unknown	Network traffic detected: HTTP traffic on port 49708 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49710 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49710
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49708

Source: java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: +https://www.youtube.com/watch?v=dQw4w9WgXcQ equals www.youtube.com (Youtube)
Source: java.exe, java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: Chttps://www.youtube.com/watch?v=dQw4w9WgXcQ equals www.youtube.com (Youtube)

Source: java.exe, 00000002.00000002.226255781.0000000009BC5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://checkip.amazonaws.com/
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ipecho.net/plain
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://myexternalip.com/raw
Source: java.exe, 00000002.00000003.219082038.0000000014BD7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219007145.0000000014BAB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219212497.0000000014C07000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226831499.0000000015256000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226776118.0000000014BB2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000002.00000002.226255781.0000000009FAF000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html
Source: java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp, cmdlinestart.log.0.dr	String found in binary or memory: http://www.slf4j.org/codes.html#StaticLoggerBinder
Source: java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#StaticLoggerBinderIT
Source: java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#loggerNameMismatch
Source: java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#multiple_bindings
Source: java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#multiple_bindingse/Cache
Source: java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp, cmdlinestart.log.0.dr	String found in binary or memory: http://www.slf4j.org/codes.html#no_static_mdc_binder
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#no_static_mdc_binderject
Source: java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#null_LF
Source: java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#null_LF1
Source: java.exe, 00000002.00000003.219266095.0000000017450000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#null_MDCA
Source: java.exe, 00000002.00000002.227302640.0000000017450000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017450000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017450000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#null_MDCAHk$
Source: java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#replay
Source: java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#substituteLogger
Source: java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#unsuccessfulInit
Source: java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#unsuccessfulInit_7
Source: java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#unsuccessfulInitn32/Win
Source: java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.slf4j.org/codes.html#version_mismatch
Source: TempFile39122.2.dr	String found in binary or memory: https://ac.ecosia.org/autocomplete?q=
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://akrien.wtf
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.ipify.org/
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/app-assets/710982414301790216/store/%s.%s
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/%s/%s.%s
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/banners/%s/%s.%s
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/%s.png
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A70B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/guild-events/%s/%s.%s
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/guild-events/%s/%s.%sU
Source: java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/guilds/%s/users/%s/avatars/%s.%s
Source: java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/guilds/%s/users/%s/avatars/%s.%ssetOfk
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A70B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219260046.0000000017313000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/icons/%s/%s.%s
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/icons/%s/%s.%ss
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A70B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219260046.0000000017313000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/splashes/%s/%s.png
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/splashes/%s/%s.png.2
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/stickers/%s.%s
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/team-icons/%s/%s.png
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/team-icons/%s/%s.png%
Source: TempFile39122.2.dr	String found in binary or memory: https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A76E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.227302640.0000000017100000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v%d/
Source: java.exe, 00000002.00000002.226255781.000000000A76E000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10/
Source: java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10/c9x
Source: java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v10/users/
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/api/v9/users/
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/%s/%s
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/%s/%s%X
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/channels/%s/%s/%s
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/oauth2/authorize?client_id=
Source: java.exe, 00000002.00000003.219164199.0000000017150000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227302640.0000000017100000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.com/oauth2/authorize?client_id=t
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219260046.0000000017313000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://discord.gg/sh
Source: TempFile39122.2.dr	String found in binary or memory: https://duckduckgo.com/ac/?q=
Source: java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	String found in binary or memory: https://duckduckgo.com/chrome_newtab
Source: TempFile39122.2.dr	String found in binary or memory: https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=
Source: java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/DV8FromTheWorld/JDA
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ipv4.icanhazip.com/
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jda.wiki/using-jda/gateway-intents-and-member-cache-policy/
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jda.wiki/using-jda/troubleshooting/#cannot-get-message-content-attempting-to-access-message-
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A70B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intents
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intentstion:
Source: java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	String found in binary or memory: https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search
Source: java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	String found in binary or memory: https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=
Source: java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfp
Source: java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	String found in binary or memory: https://search.yahoo.com?fr=crmas_sfpf
Source: java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://support-dev.discord.com/hc/en-us/articles/4404772028055-Message-Content-Privileged-Intent-FA
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009FFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A59F000.00000004.00000800.00020000.00000000.sdmp, UserInformation.txt.2.dr, Passwords.txt.2.dr, Google_[Chrome]_Default.txt0.2.dr, InstalledSoftware.txt.2.dr	String found in binary or memory: https://t.me/nyooooom
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/feed
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://vk.com/id
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://whatismyhostname.com/raw/ip/
Source: TempFile39122.2.dr	String found in binary or memory: https://www.google.com/favicon.ico
Source: java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://www.youtube.com/watch?v=dQw4w9WgXcQ

Source: unknown

DNS traffic detected: queries for: ipv4.icanhazip.com

Source: global traffic

HTTP traffic detected: GET /raw HTTP/1.1User-Agent: Java/1.8.0_211Host: myexternalip.comAccept: text/html, image/gif, image/jpeg, *; q=.2, */*; q=.2Connection: keep-alive

Source: unknown	HTTPS traffic detected: 104.18.115.97:443 -> 192.168.2.4:49708 version: TLS 1.2
Source: unknown	HTTPS traffic detected: 162.159.138.232:443 -> 192.168.2.4:49710 version: TLS 1.2

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\6XAaqIWeJt.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\6XAaqIWeJt.jar"
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\6XAaqIWeJt.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6972:120:WilError_01
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6868:120:WilError_01

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll

Jump to behavior

Source: java.exe	String found in binary or memory: *net/lingala/zip4j/tasks/AddFolderToZipTask
Source: java.exe	String found in binary or memory: net/lingala/zip4j/tasks/AddFilesToZipTask$AddFilesToZipTaskParameters
Source: java.exe	String found in binary or memory: IHI(Lnet/lingala/zip4j/tasks/AddFolderToZipTask$AddFolderToZipTaskParameters;)Ljava/io/File;
Source: java.exe	String found in binary or memory: D>net/lingala/zip4j/tasks/AddStreamToZipTask$AddStreamToZipTaskParameters
Source: java.exe	String found in binary or memory: A(Lokhttp3/Address;Lokhttp3/internal/connection/RealCall;Ljava/util/List;Z)Z
Source: java.exe	String found in binary or memory: bynet/lingala/zip4j/tasks/AddFolderToZipTask
Source: java.exe	String found in binary or memory: 3Lnet/lingala/zip4j/tasks/AddFolderToZipTask;

Source: classification engine

Classification label: mal52.troj.spyw.expl.winJAR@7/20@3/3

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: java.exe, 00000002.00000002.227556092.000000006C379000.00000002.00000001.01000000.00000006.sdmp, sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll.2.dr	Binary or memory string: UPDATE %Q.sqlite_master SET tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqliteX_autoindex%%' ESCAPE 'X' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: java.exe, 00000002.00000002.227556092.000000006C379000.00000002.00000001.01000000.00000006.sdmp, sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: java.exe, 00000002.00000002.227556092.000000006C379000.00000002.00000001.01000000.00000006.sdmp, sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll.2.dr	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: java.exe, 00000002.00000002.227556092.000000006C379000.00000002.00000001.01000000.00000006.sdmp, sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: java.exe, 00000002.00000002.220276985.0000000000707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select * from autofill;y
Source: java.exe, 00000002.00000002.227556092.000000006C379000.00000002.00000001.01000000.00000006.sdmp, sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll.2.dr	Binary or memory string: INSERT INTO %Q.sqlite_master VALUES('index',%Q,%Q,#%d,%Q);
Source: java.exe, 00000002.00000002.227556092.000000006C379000.00000002.00000001.01000000.00000006.sdmp, sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll.2.dr	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: select * from logins;
Source: java.exe, 00000002.00000003.215205112.00000000005AA000.00000004.00000020.00020000.00000000.sdmp, TempFile24632.2.dr	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));
Source: java.exe, 00000002.00000002.227556092.000000006C379000.00000002.00000001.01000000.00000006.sdmp, sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll.2.dr	Binary or memory string: CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY,parentnode);
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.220276985.0000000000707000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: select * from autofill;
Source: java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: select * from cookies;

Source: 6XAaqIWeJt.jar

Static file information: File size 29321777 > 1048576

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_160FCB48 push eax; retf	2_3_160FCB49
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_160FC358 pushad ; ret	2_3_160FC359
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_15E4CF8C pushad ; iretd	2_3_15E4CF8D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_15E4C388 pushad ; ret	2_3_15E4C38D

Persistence and Installation Behavior

Exploit detected, runtime environment dropped PE file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: jna5476903323984237763.dll.2.dr

Jump to dropped file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\jna-101308983\jna5476903323984237763.dll			Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll			Jump to dropped file

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\InstalledSoftware.txt

Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Registry key enumerated: More than 150 enums for key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Code function: 2_3_160EC30E sldt word ptr [eax]

2_3_160EC30E

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-101308983\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-101308983\jna5476903323984237763.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\	Jump to behavior

Source: java.exe, 00000002.00000003.206016359.0000000014A64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.206016359.0000000014A64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.220400922.00000000023A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.220400922.00000000023A0000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: \|[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.206016359.0000000014A64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000003.206016359.0000000014A64000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.220160463.000000000053B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\6XAaqIWeJt.jar"			Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Local State VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Local Storage\leveldb\000003.log	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Mitre Att&ck Matrix

Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Exfiltration	Command and Control	Network Effects	Remote Service Effects	Impact
Valid Accounts	2 Command and Scripting Interpreter	1 Services File Permissions Weakness	11 Process Injection	1 Masquerading	1 OS Credential Dumping	1 Security Software Discovery	Remote Services	1 Data from Local System	Exfiltration Over Other Network Medium	2 Encrypted Channel	Eavesdrop on Insecure Network Communication	Remotely Track Device Without Authorization	Modify System Partition
Default Accounts	1 Exploitation for Client Execution	Boot or Logon Initialization Scripts	1 Services File Permissions Weakness	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Process Discovery	Remote Desktop Protocol	Data from Removable Media	Exfiltration Over Bluetooth	1 Ingress Tool Transfer	Exploit SS7 to Redirect Phone Calls/SMS	Remotely Wipe Data Without Authorization	Device Lockout
Domain Accounts	At (Linux)	Logon Script (Windows)	Logon Script (Windows)	1 Disable or Modify Tools	Security Account Manager	1 Virtualization/Sandbox Evasion	SMB/Windows Admin Shares	Data from Network Shared Drive	Automated Exfiltration	2 Non-Application Layer Protocol	Exploit SS7 to Track Device Location	Obtain Device Cloud Backups	Delete Device Data
Local Accounts	At (Windows)	Logon Script (Mac)	Logon Script (Mac)	11 Process Injection	NTDS	1 Remote System Discovery	Distributed Component Object Model	Input Capture	Scheduled Transfer	3 Application Layer Protocol	SIM Card Swap		Carrier Billing Fraud
Cloud Accounts	Cron	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	1 System Network Configuration Discovery	SSH	Keylogging	Data Transfer Size Limits	Fallback Channels	Manipulate Device Communication		Manipulate App Store Rankings or Ratings
Replication Through Removable Media	Launchd	Rc.common	Rc.common	1 Services File Permissions Weakness	Cached Domain Credentials	1 File and Directory Discovery	VNC	GUI Input Capture	Exfiltration Over C2 Channel	Multiband Communication	Jamming or Denial of Service		Abuse Accessibility Features
External Remote Services	Scheduled Task	Startup Items	Startup Items	Compile After Delivery	DCSync	22 System Information Discovery	Windows Remote Management	Web Portal Capture	Exfiltration Over Alternative Protocol	Commonly Used Port	Rogue Wi-Fi Access Points		Data Encrypted for Impact

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
6XAaqIWeJt.jar	0%	ReversingLabs

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\jna-101308983\jna5476903323984237763.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
https://discord.com/api/v10/	0%	Avira URL Cloud	safe
https://discord.com/api/v9/users/	0%	Avira URL Cloud	safe
https://discord.com/oauth2/authorize?client_id=t	0%	Avira URL Cloud	safe
https://discord.com/oauth2/authorize?client_id=	0%	Avira URL Cloud	safe
https://whatismyhostname.com/raw/ip/	0%	Avira URL Cloud	safe
http://policy.camerfirma.com0	0%	Avira URL Cloud	safe
https://support-dev.discord.com/hc/en-us/articles/4404772028055-Message-Content-Privileged-Intent-FA	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl0	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class3P.crl0	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com	0%	Avira URL Cloud	safe
https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intents	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class2.crl0	0%	Avira URL Cloud	safe
http://www.chambersign.org1	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class2.crl	0%	Avira URL Cloud	safe
http://crl.securetrust.com/STCA.crl	0%	Avira URL Cloud	safe
http://bugreport.sun.com/bugreport/	0%	Avira URL Cloud	safe
http://ipecho.net/plain	0%	Avira URL Cloud	safe
https://akrien.wtf	0%	Avira URL Cloud	safe
https://discord.com/api/v10/c9x	0%	Avira URL Cloud	safe
https://discord.com/channels/%s/%s/%s	0%	Avira URL Cloud	safe
http://www.certplus.com/CRL/class3P.crl	0%	Avira URL Cloud	safe
https://discord.com/channels/%s/%s	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersroot.html	0%	Avira URL Cloud	safe
https://discord.com/api/v%d/	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl0	0%	Avira URL Cloud	safe
http://www.quovadis.bm0	0%	Avira URL Cloud	safe
https://discord.gg/sh	0%	Avira URL Cloud	safe
https://jda.wiki/using-jda/troubleshooting/#cannot-get-message-content-attempting-to-access-message-	0%	Avira URL Cloud	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	0%	Avira URL Cloud	safe
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersroot.html0	0%	Avira URL Cloud	safe
http://crl.securetrust.com/STCA.crl0	0%	Avira URL Cloud	safe
https://discord.gg/	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.com0	0%	Avira URL Cloud	safe
https://discord.com/channels/%s/%s%X	0%	Avira URL Cloud	safe
http://www.chambersign.org	0%	Avira URL Cloud	safe
https://discord.com/api/v10/users/	0%	Avira URL Cloud	safe
http://www.quovadis.bm	0%	Avira URL Cloud	safe
http://crl.xrampsecurity.com/XGCA.crl	0%	Avira URL Cloud	safe
https://jda.wiki/using-jda/gateway-intents-and-member-cache-policy/	0%	Avira URL Cloud	safe
https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intentstion:	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crl	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
ipv4.icanhazip.com	104.18.115.97	true	false	high
myexternalip.com	34.160.111.145	true	false	high
discord.com	162.159.138.232	true	false	unknown

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://myexternalip.com/raw	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
https://duckduckgo.com/chrome_newtab	java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	false		high
https://cdn.discordapp.com/stickers/%s.%s	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/ac/?q=	TempFile39122.2.dr	false		high
http://www.slf4j.org/codes.html#StaticLoggerBinderIT	java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.chambersign.org1	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#multiple_bindingse/Cache	java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com	java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intents	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A70B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class3P.crl0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://support-dev.discord.com/hc/en-us/articles/4404772028055-Message-Content-Privileged-Intent-FA	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class2.crl0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://checkip.amazonaws.com/	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/oauth2/authorize?client_id=t	java.exe, 00000002.00000003.219164199.0000000017150000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227302640.0000000017100000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/guild-events/%s/%s.%s	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A70B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v9/users/	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#multiple_bindings	java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/api/v10/	java.exe, 00000002.00000002.226255781.000000000A76E000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/oauth2/authorize?client_id=	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://whatismyhostname.com/raw/ip/	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.certplus.com/CRL/class2.crl	java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://akrien.wtf	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/channels/%s/%s	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000002.00000002.226255781.0000000009BC5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	java.exe, 00000002.00000003.219082038.0000000014BD7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219007145.0000000014BAB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219212497.0000000014C07000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226831499.0000000015256000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226776118.0000000014BB2000.00000004.00000020.00020000.00000000.sdmp	false		high
https://duckduckgo.com/favicon.icohttps://duckduckgo.com/?q=	TempFile39122.2.dr	false		high
http://www.slf4j.org/codes.html#unsuccessfulInit_7	java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v10/c9x	java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com/sugg/chrome?output=fxjson&appid=crmas_sfp&command=	java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	false		high
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://ipecho.net/plain	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://www.google.com/favicon.ico	TempFile39122.2.dr	false		high
http://www.certplus.com/CRL/class3P.crl	java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#substituteLogger	java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://discord.com/channels/%s/%s/%s	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#unsuccessfulInitn32/Win	java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#StaticLoggerBinder	java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp, cmdlinestart.log.0.dr	false		high
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/team-icons/%s/%s.png	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/api/v%d/	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A76E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.227302640.0000000017100000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadis.bm0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.gg/sh	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ipv4.icanhazip.com/	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/guilds/%s/users/%s/avatars/%s.%s	java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	false		high
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/icons/%s/%s.%ss	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://t.me/nyooooom	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009FFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A59F000.00000004.00000800.00020000.00000000.sdmp, UserInformation.txt.2.dr, Passwords.txt.2.dr, Google_[Chrome]_Default.txt0.2.dr, InstalledSoftware.txt.2.dr	false		high
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.gg/	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219260046.0000000017313000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://jda.wiki/using-jda/troubleshooting/#cannot-get-message-content-attempting-to-access-message-	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://search.yahoo.com?fr=crmas_sfpf	java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	false		high
http://policy.camerfirma.com	java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#unsuccessfulInit	java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/banners/%s/%s.%s	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/splashes/%s/%s.png.2	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#null_MDCA	java.exe, 00000002.00000003.219266095.0000000017450000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl	java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#no_static_mdc_binder	java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp, cmdlinestart.log.0.dr	false		high
https://cdn.discordapp.com/splashes/%s/%s.png	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A70B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219260046.0000000017313000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#loggerNameMismatch	java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#null_LF1	java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ocsp.quovadisoffshore.com0	java.exe, 00000002.00000002.226255781.0000000009D87000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/embed/avatars/%s.png	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://www.youtube.com/watch?v=dQw4w9WgXcQ	java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://discord.com/channels/%s/%s%X	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vk.com/id	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#replay	java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	java.exe, 00000002.00000002.226255781.0000000009FAF000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#no_static_mdc_binderject	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.ipify.org/	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://discord.com/api/v10/users/	java.exe, 00000002.00000002.220565046.0000000004D3D000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/guild-events/%s/%s.%sU	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://search.yahoo.com/favicon.icohttps://search.yahoo.com/search	java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	false		high
http://www.quovadisglobal.com/cps	java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/team-icons/%s/%s.png%	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com/DV8FromTheWorld/JDA	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://ac.ecosia.org/autocomplete?q=	TempFile39122.2.dr	false		high
https://search.yahoo.com?fr=crmas_sfp	java.exe, 00000002.00000003.216430488.00000000005B4000.00000004.00000020.00020000.00000000.sdmp, TempFile39122.2.dr	false		high
https://jda.wiki/using-jda/gateway-intents-and-member-cache-policy/	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017341000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017333000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.slf4j.org/codes.html#null_MDCAHk$	java.exe, 00000002.00000002.227302640.0000000017450000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219220229.0000000017450000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.219266095.0000000017450000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/guilds/%s/users/%s/avatars/%s.%ssetOfk	java.exe, 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/app-assets/710982414301790216/store/%s.%s	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html	java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/avatars/%s/%s.%s	java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadis.bm	java.exe, 00000002.00000002.226255781.0000000009E85000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/icons/%s/%s.%s	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A70B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.219260046.0000000017313000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false		high
https://jda.wiki/using-jda/troubleshooting/#im-getting-closecode4014-disallowed-intentstion:	java.exe, 00000002.00000002.227302640.000000001718F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.218897942.0000000017188000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://vk.com/feed	java.exe, 00000002.00000002.226255781.0000000009BD5000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.slf4j.org/codes.html#version_mismatch	java.exe, 00000002.00000002.227075352.000000001611E000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.226255781.000000000A666000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.ecosia.org/assets/images/ico/favicon.icohttps://www.ecosia.org/search?q=	TempFile39122.2.dr	false		high
http://crl.chambersign.org/chambersroot.crl	java.exe, 00000002.00000002.226255781.0000000009E22000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
162.159.138.232	discord.com	United States	13335	CLOUDFLARENETUS	false
104.18.115.97	ipv4.icanhazip.com	United States	13335	CLOUDFLARENETUS	false
34.160.111.145	myexternalip.com	United States	2686	ATGS-MMD-ASUS	false

General Information

Joe Sandbox Version:	38.0.0 Beryl
Analysis ID:	1312575
Start date and time:	2023-09-21 21:02:45 +02:00
Joe Sandbox Product:	CloudBasic
Overall analysis duration:	0h 5m 19s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
Number of analysed new started processes analysed:	5
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample file name:	6XAaqIWeJt.jar
Original Sample Name:	5286e612ca35302536507939d609b47dac54b42b6c76238ab2aee60ec6204a0c.jar
Detection:	MAL
Classification:	mal52.troj.spyw.expl.winJAR@7/20@3/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 1
Cookbook Comments:	Found application associated with file extension: .jar Stop behavior analysis, all processes terminated

Warnings

Execution Graph export aborted for target java.exe, PID 6908 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Reached maximum number of file to list during submission archive extraction
Report size getting too big, too many NtAllocateVirtualMemory calls found.
Report size getting too big, too many NtDeviceIoControlFile calls found.
Report size getting too big, too many NtQueryValueKey calls found.
Report size getting too big, too many NtReadFile calls found.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: 6XAaqIWeJt.jar

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	57
Entropy (8bit):	4.883083602104782
Encrypted:	false
SSDEEP:	3:oFj4I5vpN6yUQDf:oJ5X6yT
MD5:	9D93FF6908574E97F9A8969EEB43C7A3
SHA1:	C757E49C09BD9731FE5557BE21806E8D49E6AF22
SHA-256:	E62291D1F6AA01CDA08C8E69B5BDFF2FE54BD1BCF72AD93E84405782A01D076C
SHA-512:	0957A27AD3D7BC7E10273D690CDFC68B3965092E5349F18AC04D8A4F9E88FD5EAF798BD9FCF8098295B4F3F11F0A8BE12D7EF90DE3481B7FD957E44EA2D16AB8
Malicious:	false
Reputation:	low
Preview:	C:\Program Files (x86)\Java\jre1.8.0_211..1695323017628..

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7].zip

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	Zip archive data, at least v1.0 to extract, compression method=store
Category:	dropped
Size (bytes):	653747
Entropy (8bit):	7.996987689518724
Encrypted:	true
SSDEEP:	12288:ldL16TYtGp1QKi+zATZ/ksxImMYse9VOgNcI7U6JP4a0E4VsC:LMYtGQ3t/3xd9Vzcp6JP4a0E0
MD5:	54EDA0E4531133E761F57E6ABC3DE5B2
SHA1:	EEAC205D07F8AE84810C8132FC81046AE8A23054
SHA-256:	C2BBB21F953069653BC6DF956815C650AF29458BC93EEF1B4E05118B1E14ADF8
SHA-512:	858ACDAE3E4C6D732C968FB15520E04A02B899F6D35B2E5E9867B3BBF0DC0C7C9C68237D5CF0C30FEECBEF2E39854397E8B333DA9214CE534A85FC1A7091B8EF
Malicious:	false
Reputation:	low
Preview:	PK........t.5W............/...US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]/Autofills/PK........t.5W/..h........J...US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]/Autofills/Google_[Chrome]_Default.txt.O.j.0.\|.......Q...-....8%I3...Jr..2....I'.D...6.u....Ju0......3.:...p(.....U'O...uG.>.zsDt..r]J...5N...........aT...[...?...(."....+.O..;.....Xd.#YV..d\|\.,...h9.B.2:....s../.q.....r.v...PK........t.5W............-...US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]/Cookies/PK........t.5W.......I...H...US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]/Cookies/Google_[Chrome]_Default.txt.T.n.H.}&R~#/-.U.%?........Xm...ll.?~.23..H...TR...=..:.v.e..d...J.d..o.D.@.U@...A$i.....L...8..A...o..+6.\|.%..<..Z..olt}\5..9qVK.........G(....0c.1.\|...Hx....a...4M.Y.....(D.2....I.F.k.}.2.d.X`n........&..)}....e..$....@..>.E(.........0".SLc.2.h7p{...RD....C...8.@.!J.q....zyq.n.v.4d..D8[.i.i[$.....N.V"..P..R%.R..B.Y....,.j....4.0%Q.....\|....`.S........`..Y....-..>s.....>......1.(...QJr5e...T....I.z.._.b.1j+[#..W._.P.1P...

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Autofills\Google_[Chrome]_Default.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	457
Entropy (8bit):	3.0767031796169326
Encrypted:	false
SSDEEP:	6:j/GWiRKYiwSb35FihOSjeXu47y9BcgbK/RAJ6ocrOCHylyIhzYlKdN35Ag:j/S8bL9ceXD2z3K/RA0VXS8IYlKr3/
MD5:	126F55A8D64B24CCF78CC83D79352D66
SHA1:	B375FE51FBBF2F4885B4A85166ABF2C6FA1EA040
SHA-256:	6B91C31314C424EA366911DACD075D5A29F0E3216EB057134256D4C99F2285F9
SHA-512:	D2CD4EC87E3BD310268D4A14AF66C270269A4CFC9C2158CF8907CB1EDBD02C86455674A6A8126BEB246F5CDE956F0FAF3563BAE6E70E66D6BB92CA1DFC34B1A0
Malicious:	false
Reputation:	low
Preview:	// _ _ ..// \| \| \| \| ..// _ __ ___ \| \|_ ___ __ _ \| \| ___ _ __ ..// \| '_ \ / __\|\| __\| / _ \ / _` \|\| \| / _ \\| '__\|..// \| \| \| \|\__ \\| \|_ \| __/\| (_\| \|\| \|\| __/\| \| ..// \|_\| \|_\|\|___/ \__\| \___\| \__,_\|\|_\| \___\|\|_\| ..// ..// nstealer v2 aka "java redline"..// developed by https://t.me/nyooooom // mvdua (new discord) // noom....

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Cookies\Google_[Chrome]_Default.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	1609
Entropy (8bit):	5.814284691029822
Encrypted:	false
SSDEEP:	48:VN/sLIxFcw7vxIxRcw75xiUS7Nz9pLhnozHpIxlxPv:f08x++vxIxS+5xip7NzVoz+xlxX
MD5:	F8AB673DA6D665FEC147D2566540249B
SHA1:	CFA73C8F2B48D66E5241D0C2515D6DD90BF36B36
SHA-256:	E11420754A34F338CD78B90DF22CBC9693B5766DB6E4A34A53EC78D54C96D0A7
SHA-512:	92EAFB35B143F942AAA8BA54EC693CC9E46DD3DF3A1A03E49BE2F541C914008E674193D71ED71904880994C2A8EDCED528DD47514400AF328031EA3B77248414
Malicious:	false
Reputation:	low
Preview:	.google.com.TRUE./.TRUE.13351689060586313.AEC.Ad49MVEVy5CxtQLtYrblzXz4DifLm5q80KxkAsZM0tGClBBQswyzDRIjhA...google.com.FALSE./.TRUE.13370697060586477.CONSENT.PENDING+494..www.google.com.FALSE./.FALSE.13336137672000000.DV.Uw-QAWGHFCMcQIF0XFQkBViNIwrwnRg...google.com.FALSE./.FALSE.13336147869673553.GOOGLE_ABUSE_EXEMPTION.ID=743584646b6d7876:TM=1691663507:C=r:IP=84.17.52.38-:S=tthyMI8Cvn5vO7C4FE_Vh3U...microsoft.com.FALSE./.TRUE.13367673075667039.MC1.GUID=762ed1c63ceb49b49cb46dba465abf5d&HASH=762e&LV=202308&V=4&LU=1691663513605...microsoft.com.FALSE./.TRUE.13336138875667106.MS0.422da71b383d453fad5f9d7c2bd69b73..dotnet.microsoft.com.FALSE./.TRUE.13367673075943443.MSFPC.GUID=762ed1c63ceb49b49cb46dba465abf5d&HASH=762e&LV=202308&V=4&LU=1691663513605..dotnet.microsoft.com.FALSE./.TRUE.13367673076444095.MicrosoftApplicationsTelemetryDeviceId.82a40d28-864b-41fe-a279-21bff0443578...google.com.FALSE./.TRUE.13370265071547480.SOCS.CAESHAgCEhJnd3NfMjAyMzA4MDMtMF9SQzIaAmVuIAEaBgiA0dCmBg..www.google.com

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\InstalledSoftware.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ISO-8859 text, with CRLF line terminators
Category:	dropped
Size (bytes):	3161
Entropy (8bit):	5.138853334349859
Encrypted:	false
SSDEEP:	96:IfDzLNpOJKiDplOdMY84uR/1npIeO9wv0xqwqWtOPPSJ3Iq2OzSTVJS4ep48TuNC:6yQyRfnR/XLTV8qNWMIN
MD5:	55B581415A2A38861B375941712680E1
SHA1:	59925274A6BA3DD0377F9217EB0A91CF9F98689F
SHA-256:	65BF273FDB056A011E143368D0471B1F781AE783688921522876ECA56655CFC2
SHA-512:	71C05C435F5AB8B052817082F0C8DD4E52550F67C9583ECDA7F9A2160E201B1D18720F70A3AEB78570A7BD3B4B6B78C168BA7591FF3E93D0D65CD0942FC89083
Malicious:	false
Reputation:	low
Preview:	// _ _ ..// \| \| \| \| ..// _ __ ___ \| \|_ ___ __ _ \| \| ___ _ __ ..// \| '_ \ / __\|\| __\| / _ \ / _` \|\| \| / _ \\| '__\|..// \| \| \| \|\__ \\| \|_ \| __/\| (_\| \|\| \|\| __/\| \| ..// \|_\| \|_\|\|___/ \__\| \___\| \__,_\|\|_\| \___\|\|_\| ..// ..// nstealer v2 aka "java redline"..// developed by https://t.me/nyooooom // mvdua (new discord) // noom....1) Google.Chrome [115.0.5790.171]..2) Microsoft Office Professional Plus 2016 [16.0.4266.1001]..3) Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501 [12.0.30501.0]..4) Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005 [12.0.21005]..5) Microsoft Visual C++ 2010 x86 Redistributable - 10.0.30319 [10.0.30319]..6) Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.21.27702 [14.21.27702]..7) Microsoft Visual C++ 2019 X86 Additional Runtime - 14.21.27702 [14.21.27702]..8) Java 8 Update 211 [8.0.2110.12]..9) Microsoft Visual

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Passwords.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	457
Entropy (8bit):	3.0767031796169326
Encrypted:	false
SSDEEP:	6:j/GWiRKYiwSb35FihOSjeXu47y9BcgbK/RAJ6ocrOCHylyIhzYlKdN35Ag:j/S8bL9ceXD2z3K/RA0VXS8IYlKr3/
MD5:	126F55A8D64B24CCF78CC83D79352D66
SHA1:	B375FE51FBBF2F4885B4A85166ABF2C6FA1EA040
SHA-256:	6B91C31314C424EA366911DACD075D5A29F0E3216EB057134256D4C99F2285F9
SHA-512:	D2CD4EC87E3BD310268D4A14AF66C270269A4CFC9C2158CF8907CB1EDBD02C86455674A6A8126BEB246F5CDE956F0FAF3563BAE6E70E66D6BB92CA1DFC34B1A0
Malicious:	false
Reputation:	low
Preview:	// _ _ ..// \| \| \| \| ..// _ __ ___ \| \|_ ___ __ _ \| \| ___ _ __ ..// \| '_ \ / __\|\| __\| / _ \ / _` \|\| \| / _ \\| '__\|..// \| \| \| \|\__ \\| \|_ \| __/\| (_\| \|\| \|\| __/\| \| ..// \|_\| \|_\|\|___/ \__\| \___\| \__,_\|\|_\| \___\|\|_\| ..// ..// nstealer v2 aka "java redline"..// developed by https://t.me/nyooooom // mvdua (new discord) // noom....

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Screenshot.png

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	652289
Entropy (8bit):	7.949244064121191
Encrypted:	false
SSDEEP:	12288:KwzYV+YqPa9aa5Q3dP9YsA0gxudGpQANBZcqdo6Jag4fGHRk6ePuZV+9:VzsEaUiQ3dbgwY1cp6Jag4Oxk6I8V+9
MD5:	F4EE9901D997DB46E2E408AF8A614D17
SHA1:	DE8D6EC2D9F1F92E6113903F6BE9C520DB572E6F
SHA-256:	0702671D65CF1179A4386FB974BDE3BB711696B42F1D3F0EE4ED144FD18167D5
SHA-512:	9B866AE173209FF2D4AEDF0A8AD0EE1435E6F22E4212E2C8FF6E07FCD0BB6F45B52EBBAEF667A4E69D4060B5E1F4785028456F060B764ECE29768A00E0DF18C0
Malicious:	false
Reputation:	low
Preview:	.PNG........IHDR.............1.c.....IDATx......E.0............TL..v..K......;.....y...wg....".......`:.`.a...KN............-...vg{z.'t...}...$....i.DA'..f..8...f..H.v.f.0.p$.[...b+Jz...w:Z.J..W.....t.(.L..(.E..(<.F...(.h.D.N.....MN..l.o..:.'~U.v.EA.t.......n...O..d..R....}l.9..F.q'"..v....P.#F.Z.xe`4=%....).v.."q......d.;.e....H5.=.wO}....`.YV.i..D.IG...1"....>....8:..p.BG...b..."..}....,.."Qd.s.(K.(.....\.:.%[.J....h.V.].._.Q.dI?..Zm..D...hY).%...oA....$..<.H..p>`...jV..6tX..0...{$.5.=,.&.O..O.....H...-.. ..a\|...FQwa.y... ^..w..T.}.%[.......(T[M..q.D....Fg.n.t..d......rQ....}...L~u...q....._.`M........~..........8....b.l.l.l..k..>!._%..-o.l.....q..o..........0:7x.........X..l..../.....O_.J.8.e....V..q.mB...E..........H..SD$.........p.........,...b%.0...'.o...K............+.;KD....)....k3.q.....?.......N....J....Xb..[.C.K.:..,......'e ....E..../7.......c.`...W...e...`..............0o.?..:.h...J.....6&z..."....8.e<.......~`F.,......Fv..8m

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile2200

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile24632

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 2, database pages 23, cookie 0x19, schema 4, UTF-8, version-valid-for 2
Category:	dropped
Size (bytes):	49152
Entropy (8bit):	0.7876734657715041
Encrypted:	false
SSDEEP:	48:43KzOIIY3HzrkNSs8LKvUf9KnmlG0UX9q4lCm+KLka+yJqhM0ObVEq8Ma0D0HOlx:Sq0NFeymDlGD9qlm+KL2y0Obn8MouO
MD5:	CF7758A2FF4A94A5D589DEBAED38F82E
SHA1:	D3380E70D0CAEB9AD78D14DD970EA480E08232B8
SHA-256:	6CA783B84D01BFCF9AA7185D7857401D336BAD407A182345B97096E1F2502B7F
SHA-512:	1D0C49B02A159EEB4AA971980CCA02751973E249422A71A0587EE63986A4A0EB8929458BCC575A9898CE3497CC5BDFB7050DF33DF53F5C88D110F386A0804CBF
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................[5....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile27438

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile27998

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, file counter 11, database pages 7, 1st free page 5, free pages 2, cookie 0x13, schema 4, UTF-8, version-valid-for 11
Category:	dropped
Size (bytes):	28672
Entropy (8bit):	1.525382148408982
Encrypted:	false
SSDEEP:	96:oe8To9Eapxv//u29ikqnXxa3Itq273BzkTDnw3:o3IpV//u2QZo27V
MD5:	BAD7730F6FDE1661858D7C76366933B1
SHA1:	7679157DBA24CF0FD2DC03AE73611B04227EF8A5
SHA-256:	9F5A853FAB80EF233F4382B3B07412D1077AF8985222BBF701C8A824BEE22AFB
SHA-512:	B1B1E0C534D96138F8752936776C3A7FD08100C99B04C55A0D7F22D0688868829C784C34F319A9FBC8F18F54DEFC7E7B07C9E40734C7C48882FE0BDEC3C66E5E
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ ..........................................................................[5.........g...$......................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile35125

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile37513

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile39122

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3038005, page size 2048, file counter 4, database pages 45, cookie 0x3d, schema 4, UTF-8, version-valid-for 4
Category:	dropped
Size (bytes):	94208
Entropy (8bit):	1.2861458126645597
Encrypted:	false
SSDEEP:	192:go1/8dpUXbSzTPJxz6zVucbj8Ewn7PrH944:gS/inRQVucbj8Ewn7b944
MD5:	13A67FCABA59E4D6CE4CBC1DA50B72A8
SHA1:	3974D2F90220322108483CEF19601AA09972C3F5
SHA-256:	7BD3F40AE06D965E1C4E98D8EF2EEB00A18DD93F934ADF9F16BC682B63CD8927
SHA-512:	A07327C16463A7DF4C76DC2A682E949CF898BBC2211EFA7E4F917E13DE4BB1C0C98923B8827E191BBBC2D42FF976748D3C6C86A8A5080008BD95ABC69DDD374F
Malicious:	false
Reputation:	low
Preview:	SQLite format 3......@ .......-...........=......................................................[5...........*........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile48503

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	JSON data
Category:	dropped
Size (bytes):	160640
Entropy (8bit):	6.040693044421152
Encrypted:	false
SSDEEP:	3072:Mw7HPKsbirDk/jy/GVAmdyKxVjDOH5Hp711NyBTOgd0HhmAnhqj3qm:MGHPKsbigygAkyoVn0XNyTOpBmAh4qm
MD5:	7DA110D90729D57A5B6D17931BC4EE09
SHA1:	992FC1C9F8DEA7B821AC96D28339CD72F0D0AF5D
SHA-256:	4307AAB87D2C9801C30F108ADF0886137B89ADBC6064859F5CB5D8D7B3AD46FC
SHA-512:	C203D5F5AC33FC2E9B9149AD6444833A4AA63A321BBFD23D3CDD15C6CF7A2D9A3399205BE835E18E9F055C95546D6B5512BCB5AF7F548A3730C27461F3C98688
Malicious:	false
Reputation:	low
Preview:	{"browser":{"last_redirect_origin":"","last_whats_new_version":104,"shortcut_migration_version":"104.0.5112.81"},"data_use_measurement":{"data_used":{"services":{"background":{},"foreground":{}},"user":{"background":{},"foreground":{}}}},"hardware_acceleration_mode_previous":true,"intl":{"app_locale":"en-GB"},"invalidation":{"per_sender_topics_to_handler":{}},"legacy":{"profile":{"name":{"migrated":true}}},"management":{"platform":{"azure_active_directory":0,"enterprise_mdm_win":0}},"network_time":{"network_time_mapping":{"local":1.6916634575871e+12,"network":1.691663495e+12,"ticks":67538279.0,"uncertainty":1644821.0}},"os_crypt":{"encrypted_key":"RFBBUEkBAAAA0Iyd3wEV0RGMegDAT8KX6wEAAABaHlwIoHYlQKZwuwW8V0yxAAAAAAIAAAAAABBmAAAAAQAAIAAAAOT4j8Zm9U1zXX6oEUpPqIYBIjSlOiLGeiMKiIFJZDroAAAAAA6AAAAAAgAAIAAAAFW1OavBhyV7qwszPZbindD+KU2Osh5O7HSmDPpFnuCDMAAAAGEkmqbufgFUSmOzx4cW7Aup7spqps4DvqbPrwRgUGqSpRZvQkbO+yVH56WF9zMTt0AAAAAyRwtYxjf7/AqYrFr0JZ6kbTiUt0/2PKkCw7ntLtbN2qrad7I3MeL4iNGDFgqRlhWgsb/6w0gJ

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\UserInformation.txt

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	698
Entropy (8bit):	4.3638520915343415
Encrypted:	false
SSDEEP:	12:j/S8bL9ceXD2z3K/RA0VXS8IYlKr32yvQXOiKBf3Ru0md/LXUWUT4OD:bXb5DF//VXSoKrGqQXdKpzELjUT4OD
MD5:	7C71C7A1D63CA89437A0935AEA31DB12
SHA1:	14164B9220F3B4C87FC71F5042642169A3E4A644
SHA-256:	B126242BD3826A70442A62CD5A16D96457B4573DA127D220C8EABC3E670CEB98
SHA-512:	D594349F5CA4AC05605ED763CBAA1DEE1072EA0C99C75452D0075AD2EC5EC8D99862B6A7583200CD9DE0C29CE3291C1623DA467FD478FAB074F7D7100D9C9C93
Malicious:	false
Reputation:	low
Preview:	// _ _ ..// \| \| \| \| ..// _ __ ___ \| \|_ ___ __ _ \| \| ___ _ __ ..// \| '_ \ / __\|\| __\| / _ \ / _` \|\| \| / _ \\| '__\|..// \| \| \| \|\__ \\| \|_ \| __/\| (_\| \|\| \|\| __/\| \| ..// \|_\| \|_\|\|___/ \__\| \___\| \__,_\|\|_\| \___\|\|_\| ..// ..// nstealer v2 aka "java redline"..// developed by https://t.me/nyooooom // mvdua (new discord) // noom....Operation System: win10-x86..Current JarFile Path: C:/Users/user/Desktop/6XAaqIWeJt.jar..UserName: user..IP: 154.16.105.31..TimeZone: 2023-09-21T21:03:40.081+02:00 [Europe/Berlin]..Width: 1280.0, Height: 1024.0..Language & Country: en_US..

C:\Users\user\AppData\Local\Temp\jna-101308983\jna5476903323984237763.dll

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.575564255266613
Encrypted:	false
SSDEEP:	3072:hsYkXwUGMpSFif9jejzCvjrEt1++W9WCrHudSzoNyLXX4Fv/IK9znaTsXvXs9GT5:hFLNmyjzss1++kQCo2XM5vXs9GTqZc
MD5:	676F82A561FAFEEC6D8CF6D8319DEE2D
SHA1:	01759BB9E7DD8513C1D25BAFF2C8AB3298DB720D
SHA-256:	1B06CBA48EEA2AD4881BC88A2749E40500DBC87C1A2149290EB61D473A64E4C1
SHA-512:	6E9F4087A49CB15203A6A478C6F3422276018F269ED85833AF6F203604C60C6C443298734CDE217E8DF18EBB932994AAAA3BC794A36419EEBCC4310CAABFB826
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!:..@T..@T..@T..(W..@T..(Q.S@T..(P..@T..4Q..@T..4P..@T..4W..@T..(U..@T..@U..@T..4W..@T..@T..@T..4P..@T..4T..@T..4V..@T.Rich.@T.........PE..L...6..c...........!.....N..........?R.......`............................................@.............................T...$...<....@.......................P... ..\|...................................@............`..0............................text....M.......N.................. ..`.rdata...\|...`...~...R..............@..@.data...\Q.......D..................@....rsrc........@......................@....reloc... ...P..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	860672
Entropy (8bit):	6.572639421617908
Encrypted:	false
SSDEEP:	24576:0S4aTP2hld8MBIeoLB9m1poRRga3tXP0SXOD6dWb94:06TP2hldnBIet1poRn3tXPLob
MD5:	B1A60869B21047ABE4F85BA353E53856
SHA1:	A7F1769A42C96382A07BD60ED000B2302575E049
SHA-256:	6E9121D4A825F568D78C79F2A3E9819A664C3B0C45B69EDC96EE5958E89E6B48
SHA-512:	56D357B6195B0EAFC7172672CE7A10503E334787DEFD7D1317B0CB60341DEC3EC711C6686CAB3E0A73152386399292732EC1A2CF2FD2E865A37C794B5E124614
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Reputation:	low
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#...$.N...................`....xf.........................p......j.....@... ..............................................................0..<?..........................d.......................8................................text....L.......N..................`.P`.data....&...`...(...R..............@.`..rdata...G.......H...z..............@.`@.bss..................................`..edata..............................@.0@.idata..............................@.0..CRT....,...........................@.0..tls......... ......................@.0..reloc..<?...0...@..................@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a

Download File

Process:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Reputation:	low
Preview:	........................................J2SE.

C:\cmdlinestart.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	6440
Entropy (8bit):	5.066656235182196
Encrypted:	false
SSDEEP:	96:gG6Muh/xXWw74M3O+6ZDeYXz0MDTZItTtufc0xXWw7i:Y5dxX374ATKDeq0QTZIRtufxX37i
MD5:	60EFB4DFF8FA0CAD5597A5362FBD075D
SHA1:	1926A8D94E752E4BFF3BE6106C637B87FCBEE3B9
SHA-256:	290426021E567950346DC991A396D25616F7393196D283E2F0AD1DB2667494C0
SHA-512:	040BA40B2CCDBE07A9741BF2CA738CA5BA5685B13A461579B81C35F6167EA0E3E09F9493330458D6D513CD3D836CE69B5BD390831B05976110E14AB5386BC757
Malicious:	false
Reputation:	low
Preview:	SLF4J: Failed to load class "org.slf4j.impl.StaticLoggerBinder"...SLF4J: Defaulting to no-operation (NOP) logger implementation..SLF4J: See http://www.slf4j.org/codes.html#StaticLoggerBinder for further details...SLF4J: Failed to load class "org.slf4j.impl.StaticMDCBinder"...SLF4J: Defaulting to no-operation MDCAdapter implementation...SLF4J: See http://www.slf4j.org/codes.html#no_static_mdc_binder for further details...[JDA RateLimit-Worker 1] ERROR Requester - There was an I/O error while executing a REST request: sun.security.validator.ValidatorException: PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target..net.dv8tion.jda.api.exceptions.ErrorResponseException: -1: javax.net.ssl.SSLHandshakeException...at net.dv8tion.jda.internal.requests.RestActionImpl.complete(RestActionImpl.java:230)...at net.dv8tion.jda.api.requests.RestAction.complete(RestAction.java:632)...at net.dv8tion.jda.internal

Static File Info

General

File type:	Java archive data (JAR)
Entropy (8bit):	7.978871677017016
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	6XAaqIWeJt.jar
File size:	29'321'777 bytes
MD5:	6c95bdb562b241228d2743c653e90773
SHA1:	3129c168f39111f57edf765e7b58bc9d72ec38d4
SHA256:	5286e612ca35302536507939d609b47dac54b42b6c76238ab2aee60ec6204a0c
SHA512:	adb9081d61b2eef3d4a253bd64ce2736d1b9b20636c2120e00b598f983ef2f4b3542b019a534e980a50363db4dd7a249f2073c4889eda8e70af9da6f1ac08bba
SSDEEP:	786432:hoh5zr5Ses3GcykJhowXsI+fVZk4JtxFm9lI46rJFSp204xtoH:hc1r5Bs3dhoPD9ZLDeirrSgpts
TLSH:	BF571210F64B5960C75B753ABAEF0E41BC31A7DDC486C15F21F474898DF2AD0872AB2A
File Content Preview:	PK..........#W...w....k...?...org/apache/http/impl/execchain/noom1337/ProguardPenitBlya.class.....8y\|.E.o:m.#...."Up.Z.+...(..*.E...P..JS..aY.M)...>.....I..v..'.....0w.........7..h...?.\|....y..y3..\|....>.XJN.xD../P.)../../.E..............E.FH.../Y.P..(...

File Icon


Icon Hash:	d08c8e8ea2868a54

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2023 21:03:39.640297890 CEST	49708	443	192.168.2.4	104.18.115.97
Sep 21, 2023 21:03:39.640377998 CEST	443	49708	104.18.115.97	192.168.2.4
Sep 21, 2023 21:03:39.640485048 CEST	49708	443	192.168.2.4	104.18.115.97
Sep 21, 2023 21:03:39.763027906 CEST	49708	443	192.168.2.4	104.18.115.97
Sep 21, 2023 21:03:39.763063908 CEST	443	49708	104.18.115.97	192.168.2.4
Sep 21, 2023 21:03:40.090464115 CEST	443	49708	104.18.115.97	192.168.2.4
Sep 21, 2023 21:03:40.090574980 CEST	49708	443	192.168.2.4	104.18.115.97
Sep 21, 2023 21:03:40.138129950 CEST	49708	443	192.168.2.4	104.18.115.97
Sep 21, 2023 21:03:40.138166904 CEST	443	49708	104.18.115.97	192.168.2.4
Sep 21, 2023 21:03:40.138545990 CEST	443	49708	104.18.115.97	192.168.2.4
Sep 21, 2023 21:03:40.138605118 CEST	49708	443	192.168.2.4	104.18.115.97
Sep 21, 2023 21:03:40.140057087 CEST	49708	443	192.168.2.4	104.18.115.97
Sep 21, 2023 21:03:40.140081882 CEST	443	49708	104.18.115.97	192.168.2.4
Sep 21, 2023 21:03:40.326334000 CEST	49709	80	192.168.2.4	34.160.111.145
Sep 21, 2023 21:03:40.499269962 CEST	80	49709	34.160.111.145	192.168.2.4
Sep 21, 2023 21:03:40.499401093 CEST	49709	80	192.168.2.4	34.160.111.145
Sep 21, 2023 21:03:40.507776022 CEST	49709	80	192.168.2.4	34.160.111.145
Sep 21, 2023 21:03:40.680944920 CEST	80	49709	34.160.111.145	192.168.2.4
Sep 21, 2023 21:03:40.723783016 CEST	80	49709	34.160.111.145	192.168.2.4
Sep 21, 2023 21:03:40.773077965 CEST	49709	80	192.168.2.4	34.160.111.145
Sep 21, 2023 21:03:43.364851952 CEST	49710	443	192.168.2.4	162.159.138.232
Sep 21, 2023 21:03:43.364933968 CEST	443	49710	162.159.138.232	192.168.2.4
Sep 21, 2023 21:03:43.365034103 CEST	49710	443	192.168.2.4	162.159.138.232
Sep 21, 2023 21:03:43.406153917 CEST	49710	443	192.168.2.4	162.159.138.232
Sep 21, 2023 21:03:43.406182051 CEST	443	49710	162.159.138.232	192.168.2.4
Sep 21, 2023 21:03:43.736242056 CEST	443	49710	162.159.138.232	192.168.2.4
Sep 21, 2023 21:03:43.736310005 CEST	49710	443	192.168.2.4	162.159.138.232
Sep 21, 2023 21:03:43.792829990 CEST	49710	443	192.168.2.4	162.159.138.232
Sep 21, 2023 21:03:43.792890072 CEST	443	49710	162.159.138.232	192.168.2.4
Sep 21, 2023 21:03:43.792916059 CEST	49710	443	192.168.2.4	162.159.138.232
Sep 21, 2023 21:03:43.793560028 CEST	443	49710	162.159.138.232	192.168.2.4
Sep 21, 2023 21:03:43.793636084 CEST	49710	443	192.168.2.4	162.159.138.232
Sep 21, 2023 21:03:47.749094963 CEST	49709	80	192.168.2.4	34.160.111.145

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Sep 21, 2023 21:03:39.454777956 CEST	60316	53	192.168.2.4	8.8.8.8
Sep 21, 2023 21:03:39.635601044 CEST	53	60316	8.8.8.8	192.168.2.4
Sep 21, 2023 21:03:40.144243002 CEST	51816	53	192.168.2.4	8.8.8.8
Sep 21, 2023 21:03:40.323726892 CEST	53	51816	8.8.8.8	192.168.2.4
Sep 21, 2023 21:03:43.162847996 CEST	51391	53	192.168.2.4	8.8.8.8
Sep 21, 2023 21:03:43.344274044 CEST	53	51391	8.8.8.8	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Sep 21, 2023 21:03:39.454777956 CEST	192.168.2.4	8.8.8.8	0x3771	Standard query (0)	ipv4.icanhazip.com	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:40.144243002 CEST	192.168.2.4	8.8.8.8	0xad80	Standard query (0)	myexternalip.com	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:43.162847996 CEST	192.168.2.4	8.8.8.8	0x54db	Standard query (0)	discord.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	Address	Type	Class	DNS over HTTPS
Sep 21, 2023 21:03:39.635601044 CEST	8.8.8.8	192.168.2.4	0x3771	No error (0)	ipv4.icanhazip.com	104.18.115.97	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:39.635601044 CEST	8.8.8.8	192.168.2.4	0x3771	No error (0)	ipv4.icanhazip.com	104.18.114.97	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:40.323726892 CEST	8.8.8.8	192.168.2.4	0xad80	No error (0)	myexternalip.com	34.160.111.145	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:43.344274044 CEST	8.8.8.8	192.168.2.4	0x54db	No error (0)	discord.com	162.159.138.232	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:43.344274044 CEST	8.8.8.8	192.168.2.4	0x54db	No error (0)	discord.com	162.159.128.233	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:43.344274044 CEST	8.8.8.8	192.168.2.4	0x54db	No error (0)	discord.com	162.159.135.232	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:43.344274044 CEST	8.8.8.8	192.168.2.4	0x54db	No error (0)	discord.com	162.159.137.232	A (IP address)	IN (0x0001)	false
Sep 21, 2023 21:03:43.344274044 CEST	8.8.8.8	192.168.2.4	0x54db	No error (0)	discord.com	162.159.136.232	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

myexternalip.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	Process
0	192.168.2.4	49709	34.160.111.145	80	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

Timestamp	kBytes transferred	Direction	Data
Sep 21, 2023 21:03:40.507776022 CEST	5	OUT	GET /raw HTTP/1.1 User-Agent: Java/1.8.0_211 Host: myexternalip.com Accept: text/html, image/gif, image/jpeg, ; q=.2, /*; q=.2 Connection: keep-alive
Sep 21, 2023 21:03:40.723783016 CEST	5	IN	HTTP/1.1 200 OK server: istio-envoy date: Thu, 21 Sep 2023 19:03:40 GMT content-type: text/plain; charset=utf-8 content-length: 13 access-control-allow-origin: * x-envoy-upstream-service-time: 0 strict-transport-security: max-age=2592000; includeSubDomains Via: 1.1 google Data Raw: 31 35 34 2e 31 36 2e 31 30 35 2e 33 31 Data Ascii: 154.16.105.31

Target ID:	0
Start time:	21:03:36
Start date:	21/09/2023
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\6XAaqIWeJt.jar"" >> C:\cmdlinestart.log 2>&1
Imagebase:	0xc30000
File size:	232'960 bytes
MD5 hash:	F3BDBE3BB6F734E357235F4D5898582D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	21:03:36
Start date:	21/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6bab10000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	21:03:36
Start date:	21/09/2023
Path:	C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\6XAaqIWeJt.jar"
Imagebase:	0xd90000
File size:	192'376 bytes
MD5 hash:	28733BA8C383E865338638DF5196E6FE
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Java
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	21:03:37
Start date:	21/09/2023
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0xc70000
File size:	29'696 bytes
MD5 hash:	FF0D1D4317A44C951240FAE75075D501
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	21:03:37
Start date:	21/09/2023
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff6bab10000
File size:	625'664 bytes
MD5 hash:	EA777DEEA782E8B4D7C7C33BBF8A4496
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	low
Has exited:	true

Show Windows behavior

Function 160EC30E Relevance: .0, Instructions: 11COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.218696916.00000000160E7000.00000004.00000020.00020000.00000000.sdmp, Offset: 160E7000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_160e7000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8f2303bf0fd2dd7351d381b5b50155ff3cc17164591d11c038f4a5661adf07e3
Instruction ID: ba860a5412187ce82bcdf276fb872a6f1a05b98acab45592b1cd0f80d3ecd043
Opcode Fuzzy Hash: 8f2303bf0fd2dd7351d381b5b50155ff3cc17164591d11c038f4a5661adf07e3
Instruction Fuzzy Hash: 87C00C1910E7C05FC70357785C664913F709D4B14039A09C7D0C5DF0B3D5585969D766

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	PowerShell logs, Process command-line parameters, Process monitoring, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Anti-virus, Process monitoring, System calls
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File monitoring, Process command-line parameters, Services
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	API monitoring, DLL monitoring, File monitoring, Named Pipes, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may disable security tools to avoid possible detection of their tools and activities. This can take the form of killing security software or event logging processes, deleting Registry keys so that tools do not start at run time, or other methods to interfere with security tools scanning or reporting information.
Tactics:	Defense Evasion
Data Sources:	File monitoring, Process command-line parameters, Services, Windows Registry
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Binary file metadata, Email gateway, Environment variable, File monitoring, Malware reverse engineering, Network intrusion detection system, Network protocol analysis, Process command-line parameters, Process monitoring, Process use of network, SSL/TLS inspection, Windows event logs
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	API monitoring, PowerShell logs, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, File monitoring, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, Azure AD, GCP, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	API monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	AWS CloudTrail logs, Azure activity logs, Process command-line parameters, Process monitoring, Stackdriver logs
Platforms:	AWS, Azure, GCP, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	File monitoring, Process command-line parameters, Process monitoring
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Malware reverse engineering, Netflow/Enclave netflow, Packet capture, Process monitoring, Process use of network, SSL/TLS inspection
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Files may be copied from an external adversary controlled system through the command and control channel to bring tools into the victim network or through alternate protocols with another tool such as FTP. Files can also be copied over on Mac and Linux with native tools like scp, rsync, and sftp.
Tactics:	Command and Control
Data Sources:	File monitoring, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process command-line parameters, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use a non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Host network interface, Netflow/Enclave netflow, Network intrusion detection system, Network protocol analysis, Packet capture, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	DNS records, Netflow/Enclave netflow, Network protocol analysis, Packet capture, Process monitoring, Process use of network
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report 6XAaqIWeJt.jar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

Compliance

Spreading

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7].zip

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Autofills\Google_[Chrome]_Default.txt

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Cookies\Google_[Chrome]_Default.txt

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\InstalledSoftware.txt

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Passwords.txt

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\Screenshot.png

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile2200

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile24632

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile27438

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile27998

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile35125

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile37513

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile39122

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\TempFile48503

C:\Users\user\AppData\Local\Temp\US[DD3C89DAB5F4BDCCF00CA91F404BD8F7]\UserInformation.txt

C:\Users\user\AppData\Local\Temp\jna-101308983\jna5476903323984237763.dll

C:\Users\user\AppData\Local\Temp\sqlite-3.41.0.0-d1f53158-b755-46b7-bb24-3c604b650f2a-sqlitejdbc.dll

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a

C:\cmdlinestart.log

Static File Info

General

Windows Analysis Report
6XAaqIWeJt.jar