Windows Analysis Report
bZPAo2e2Pv.jar

AV Detection

Source: bZPAo2e2Pv.jar

Avira: detected

Source: bZPAo2e2Pv.jar

ReversingLabs: Detection: 15%

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.7% probability

Spreading

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-92896885\			Jump to behavior

Software Vulnerabilities

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\tasklist.exe

Networking

Source:	DNS query: canstlr.xyz
Source:	DNS query: canstlr.xyz

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 45.112.123.126 45.112.123.126

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: canstlr.xyz
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: github.com

Source: java.exe, 00000002.00000002.2654014012.000000000A3F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlC
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlk
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crlk
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658265307.00000000156BD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398969302.0000000015708000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398660167.00000000156C6000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com#
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.comk
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/3
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/C
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/S
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/k
Source: java.exe, 00000002.00000002.2654014012.000000000A94C000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.orgC
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bmk
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/servers
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/serversk
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: java.exe, 00000002.00000002.2635926954.000000000519D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2635926954.00000000052EF000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk
Source: java.exe, 00000002.00000002.2635926954.000000000519D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk/sendMessage
Source: java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk/sendMessageSC/
Source: java.exe, 00000002.00000002.2635926954.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot;U/
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyC
Source: java.exe, 00000002.00000002.2635926954.0000000004E3E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/a
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/ap3
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/api/v6/guilds/
Source: java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/api/v6/users/
Source: java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/api/v9/users/
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/apple3
Source: java.exe, 00000002.00000002.2635926954.0000000005088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/apple3C
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/apple4
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.disco
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/0.png
Source: java.exe, 00000002.00000002.2659859380.0000000016560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/0.png8
Source: java.exe, 00000002.00000002.2635926954.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: java.exe, 00000002.00000002.2635926954.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sonriseclient/bneapple-startup-5947/raw/refs/heads/main/Java.jar
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.comK
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste-pgpj.onrender.com/?p=
Source: java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste-pgpj.onrender.com/?p=12
Source: java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu3(w
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu;
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lus(w

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

System Summary

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16965C10		2_3_16965C10
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16965F74		2_3_16965F74
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16965C10		2_3_16965C10
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16965F74		2_3_16965F74

Source: classification engine

Classification label: mal92.troj.spyw.expl.winJAR@119/15@5/3

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: java.exe, 00000002.00000003.2382820718.0000000016D92000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2383108963.0000000016DAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: bZPAo2e2Pv.jar

ReversingLabs: Detection: 15%

Source: java.exe	String found in binary or memory: (Lokhttp3/Address;)Z
Source: java.exe	String found in binary or memory: gLokhttp3/Address;
Source: java.exe	String found in binary or memory: ./Q()Lokhttp3/Address;
Source: java.exe	String found in binary or memory: (Lokhttp3/Address;Lokhttp3/internal/connection/RealCall;Ljava/util/List;Z)Z
Source: java.exe	String found in binary or memory: -addNetworkInterceptor

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptsp.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rsaenh.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptbase.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: uxtheme.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dwmapi.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: opengl32.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: glu32.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rasadhlp.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: fwpuclnt.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ncrypt.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ntasn1.dll			Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll			Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll			Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: bZPAo2e2Pv.jar

Static file information: File size 14111939 > 1048576

Data Obfuscation

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963CDB push es; ret		2_3_16963CDC
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963CEE push es; retf		2_3_16963D04
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963BD6 push es; retn 0009h		2_3_16963CD7
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963D11 push es; iretd		2_3_16963D18
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963BD6 push es; retn 0009h		2_3_16963CD7
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963CDB push es; ret		2_3_16963CDC
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963CEE push es; retf		2_3_16963D04
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963D11 push es; iretd		2_3_16963D18
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DACF78 push eax; iretd		2_3_15DACF79
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DB328B push cs; retf		2_3_15DB329E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DB3280 push cs; retf		2_3_15DB328A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DAC421 push esp; retf		2_3_15DAC422
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DACF78 push eax; iretd		2_3_15DACF79
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DB328B push cs; retf		2_3_15DB329E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DB3280 push cs; retf		2_3_15DB328A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DAC421 push esp; retf		2_3_15DAC422
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15CCE335 push cs; retf		2_3_15CCE336
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16CF550B push ebp; iretd		2_3_16CF5532
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_17ACCEB7 push eax; iretd		2_3_17ACCEC1

Persistence and Installation Behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: jna3139189163944155017.dll.2.dr

Jump to dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll			Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-40faf7a8-eb23-48f9-802d-09995356935d-sqlitejdbc.dll			Jump to dropped file

Hooking and other Techniques for Hiding and Protection

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX			Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll			Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-40faf7a8-eb23-48f9-802d-09995356935d-sqlitejdbc.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-92896885\			Jump to behavior

Source: HOSTNAME.EXE, 0000003F.00000002.2574638973.00000000035A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: java.exe, 00000002.00000003.2336599116.000000001526E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.2336599116.000000001526E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.2634831559.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.2336599116.000000001526E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.2634831559.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.2336599116.000000001526E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.2634831559.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000007.00000002.2384151808.000000000312B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000009.00000002.2390743005.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000B.00000002.2391772355.000000000071B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000D.00000002.2393171830.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000F.00000002.2393718763.000000000318A000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000011.00000002.2396370562.000000000331B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000013.00000002.2429153593.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000015.00000002.2429741661.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000019.00000002.2431834990.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000001B.00000002.2432616954.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HOSTNAME.EXE, 00000017.00000002.2430996591.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Anti Debugging

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown			Jump to behavior

Language, Device and Operating System Detection

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6880 VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\cookies.txt VolumeInformation			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\edgepass.txt VolumeInformation			Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Source: Yara match	File source: 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6880, type: MEMORYSTR

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data			Jump to behavior

Source: Yara match

File source: Process Memory Space: java.exe PID: 6880, type: MEMORYSTR

Remote Access Functionality

Source: Yara match	File source: 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6880, type: MEMORYSTR