Edit tour

Windows Analysis Report
bZPAo2e2Pv.jar

Overview

General Information

Sample name:	bZPAo2e2Pv.jar renamed because original name is a hash value
Original sample name:	45cbb31ac832781dcd07ed72c7d947ed9060453b5bbd44b2b8f7955dbc283d9d.jar
Analysis ID:	1560317
MD5:	0e929dc2d517690e49d95ec4ffeb067b
SHA1:	3793bd95395f32d677ed7877972ee38c1581089a
SHA256:	45cbb31ac832781dcd07ed72c7d947ed9060453b5bbd44b2b8f7955dbc283d9d
Tags:	jartelegram-bot7771186573user-JAMESWT_MHT
Infos:

Detection

Can Stealer

Score:	92
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Multi AV Scanner detection for submitted file

Yara detected Can Stealer

AI detected suspicious sample

Exploit detected, runtime environment dropped PE file

Exploit detected, runtime environment starts unknown processes

Performs DNS queries to domains with low reputation

Sigma detected: Suspicious Processes Spawned by Java.EXE

Tries to harvest and steal browser information (history, passwords, etc)

Uses the Telegram API (likely for C&C communication)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Enables debug privileges

Found dropped PE file which has not been started or loaded

IP address seen in connection with other malware

Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara detected Credential Stealer

Classification

Process Tree

System is w10x64

cmd.exe (PID: 6824 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"" >> C:\cmdlinestart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6832 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

java.exe (PID: 6880 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

icacls.exe (PID: 6928 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 6940 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

tasklist.exe (PID: 6952 cmdline: tasklist MD5: 0A4448B31CE7F83CB7691A2657F330F1)

conhost.exe (PID: 6976 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7072 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7080 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7132 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 5796 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6168 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6304 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6332 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6436 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6540 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 3628 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 5844 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6012 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 5744 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 5208 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5852 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 4132 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 856 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 3728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 5704 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6944 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6980 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6068 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7052 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7072 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 7108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6216 cmdline: wmic path win32_VideoController get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6356 cmdline: wmic cpu get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 3608 cmdline: wmic os get Caption /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 6540 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 5688 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5516 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 2712 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 2728 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 5588 cmdline: wmic path win32_VideoController get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6044 cmdline: wmic cpu get name MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 6964 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6992 cmdline: wmic os get Caption /value MD5: E2DE6500DE1148C7F6027AD50AC8B891)

conhost.exe (PID: 7032 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 5276 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6260 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 7132 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 3776 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 1952 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 2844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6396 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 2528 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 2172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 3640 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 3400 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 2476 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 660 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5868 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6732 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 5720 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 1500 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 3816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

HOSTNAME.EXE (PID: 6028 cmdline: hostname MD5: B1C51FED46434CF91E65C7B605F8EF3A)

conhost.exe (PID: 6008 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cleanup

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp	JoeSecurity_CanStealer	Yara detected Can Stealer	Joe Security
00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_CanStealer	Yara detected Can Stealer	Joe Security
Process Memory Space: java.exe PID: 6880	JoeSecurity_CanStealer	Yara detected Can Stealer	Joe Security
Process Memory Space: java.exe PID: 6880	JoeSecurity_CredentialStealer	Yara detected Credential Stealer	Joe Security

Sigma Signatures

System Summary

Sigma detected: Suspicious Processes Spawned by Java.EXE

Source: Process started

Author: Andreas Hunkeler (@Karneades), Florian Roth: Data: Command: wmic path win32_VideoController get name, CommandLine: wmic path win32_VideoController get name, CommandLine|base64offset|contains: h, Image: C:\Windows\SysWOW64\wbem\WMIC.exe, NewProcessName: C:\Windows\SysWOW64\wbem\WMIC.exe, OriginalFileName: C:\Windows\SysWOW64\wbem\WMIC.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 6880, ParentProcessName: java.exe, ProcessCommandLine: wmic path win32_VideoController get name, ProcessId: 6216, ProcessName: WMIC.exe

Sigma detected: Suspicious Execution of Hostname

Source: Process started

Author: frack113: Data: Command: hostname, CommandLine: hostname, CommandLine|base64offset|contains: -, Image: C:\Windows\SysWOW64\HOSTNAME.EXE, NewProcessName: C:\Windows\SysWOW64\HOSTNAME.EXE, OriginalFileName: C:\Windows\SysWOW64\HOSTNAME.EXE, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 6880, ParentProcessName: java.exe, ProcessCommandLine: hostname, ProcessId: 7072, ProcessName: HOSTNAME.EXE

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: bZPAo2e2Pv.jar

Avira: detected

Multi AV Scanner detection for submitted file

Source: bZPAo2e2Pv.jar

ReversingLabs: Detection: 15%

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 95.7% probability

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-92896885\	Jump to behavior

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\tasklist.exe

Networking

Performs DNS queries to domains with low reputation

Source:	DNS query: canstlr.xyz
Source:	DNS query: canstlr.xyz

Uses the Telegram API (likely for C&C communication)

Source: unknown

DNS query: name: api.telegram.org

Source: Joe Sandbox View	IP Address: 149.154.167.220 149.154.167.220
Source: Joe Sandbox View	IP Address: 45.112.123.126 45.112.123.126

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	DNS traffic detected: DNS query: api.gofile.io
Source: global traffic	DNS traffic detected: DNS query: canstlr.xyz
Source: global traffic	DNS traffic detected: DNS query: api.telegram.org
Source: global traffic	DNS traffic detected: DNS query: github.com

Source: java.exe, 00000002.00000002.2654014012.000000000A3F7000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlC
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.htmlk
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crlk
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.2654014012.000000000A350000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658265307.00000000156BD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398969302.0000000015708000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398660167.00000000156C6000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.2654014012.000000000A4AB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com#
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://policy.camerfirma.comk
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/3
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/C
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/S
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://repository.swisssign.com/k
Source: java.exe, 00000002.00000002.2654014012.000000000A94C000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.chambersign.orgC
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadis.bmk
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/servers
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.gofile.io/serversk
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.tele
Source: java.exe, 00000002.00000002.2635926954.000000000519D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org
Source: java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2635926954.00000000052EF000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot
Source: java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk
Source: java.exe, 00000002.00000002.2635926954.000000000519D000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk/sendMessage
Source: java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk/sendMessageSC/
Source: java.exe, 00000002.00000002.2635926954.000000000525B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://api.telegram.org/bot;U/
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyC
Source: java.exe, 00000002.00000002.2635926954.0000000004E3E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/a
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/ap3
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/api/v6/guilds/
Source: java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/api/v6/users/
Source: java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/api/v9/users/
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/apple3
Source: java.exe, 00000002.00000002.2635926954.0000000005088000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/apple3C
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://canstlr.xyz/apple4
Source: java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.disco
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/avatars/
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/0.png
Source: java.exe, 00000002.00000002.2659859380.0000000016560000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://cdn.discordapp.com/embed/avatars/0.png8
Source: java.exe, 00000002.00000002.2635926954.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com
Source: java.exe, 00000002.00000002.2635926954.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://github.com/sonriseclient/bneapple-startup-5947/raw/refs/heads/main/Java.jar
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.comK
Source: java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste-pgpj.onrender.com/?p=
Source: java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://paste-pgpj.onrender.com/?p=12
Source: java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu
Source: java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu0
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu3(w
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lu;
Source: java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://repository.luxtrust.lus(w

Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49711
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49720
Source: unknown	Network traffic detected: HTTP traffic on port 49711 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49719 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49720 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49719
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49718
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49717
Source: unknown	Network traffic detected: HTTP traffic on port 49717 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 49718 -> 443

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16965C10	2_3_16965C10
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16965F74	2_3_16965F74
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16965C10	2_3_16965C10
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16965F74	2_3_16965F74

Source: classification engine

Classification label: mal92.troj.spyw.expl.winJAR@119/15@5/3

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6964:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6976:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5720:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6260:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5868:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6008:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5800:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6540:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6456:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5852:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6988:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6168:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3728:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6332:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3400:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7032:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3816:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7080:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6832:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7052:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3776:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6012:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5516:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6940:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Windows\SysWOW64\tasklist.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime FROM Win32_Process
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: java.exe, 00000002.00000002.2664043396.0000000065BC4000.00000002.00000001.01000000.00000006.sdmp	Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' \|\| %Q \|\| substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: java.exe, 00000002.00000003.2382820718.0000000016D92000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2383108963.0000000016DAD000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: CREATE TABLE password_notes (id INTEGER PRIMARY KEY AUTOINCREMENT, parent_id INTEGER NOT NULL REFERENCES logins ON UPDATE CASCADE ON DELETE CASCADE DEFERRABLE INITIALLY DEFERRED, key VARCHAR NOT NULL, value BLOB, date_created INTEGER NOT NULL, confidential INTEGER, UNIQUE (parent_id, key));

Source: bZPAo2e2Pv.jar

ReversingLabs: Detection: 15%

Source: java.exe	String found in binary or memory: (Lokhttp3/Address;)Z
Source: java.exe	String found in binary or memory: gLokhttp3/Address;
Source: java.exe	String found in binary or memory: ./Q()Lokhttp3/Address;
Source: java.exe	String found in binary or memory: (Lokhttp3/Address;Lokhttp3/internal/connection/RealCall;Ljava/util/List;Z)Z
Source: java.exe	String found in binary or memory: -addNetworkInterceptor

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist
Source: C:\Windows\SysWOW64\tasklist.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: dbghelp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: winsta.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\tasklist.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: mswsock.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: napinsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: pnrpnsp.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: wshbth.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: nlaapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: dnsapi.dll
Source: C:\Windows\SysWOW64\HOSTNAME.EXE	Section loaded: winrnr.dll

Source: C:\Windows\SysWOW64\tasklist.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\tasklist.exe tasklist

Source: bZPAo2e2Pv.jar

Static file information: File size 14111939 > 1048576

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963CDB push es; ret	2_3_16963CDC
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963CEE push es; retf	2_3_16963D04
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963BD6 push es; retn 0009h	2_3_16963CD7
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963D11 push es; iretd	2_3_16963D18
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963BD6 push es; retn 0009h	2_3_16963CD7
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963CDB push es; ret	2_3_16963CDC
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963CEE push es; retf	2_3_16963D04
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16963D11 push es; iretd	2_3_16963D18
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DACF78 push eax; iretd	2_3_15DACF79
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DB328B push cs; retf	2_3_15DB329E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DB3280 push cs; retf	2_3_15DB328A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DAC421 push esp; retf	2_3_15DAC422
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DACF78 push eax; iretd	2_3_15DACF79
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DB328B push cs; retf	2_3_15DB329E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DB3280 push cs; retf	2_3_15DB328A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15DAC421 push esp; retf	2_3_15DAC422
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_15CCE335 push cs; retf	2_3_15CCE336
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_16CF550B push ebp; iretd	2_3_16CF5532
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_3_17ACCEB7 push eax; iretd	2_3_17ACCEC1

Persistence and Installation Behavior

Exploit detected, runtime environment dropped PE file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: jna3139189163944155017.dll.2.dr

Jump to dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll			Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-40faf7a8-eb23-48f9-802d-09995356935d-sqlitejdbc.dll			Jump to dropped file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\SysWOW64\tasklist.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll			Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-40faf7a8-eb23-48f9-802d-09995356935d-sqlitejdbc.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\HOSTNAME.EXE	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	WMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM WIN32_PROCESSOR

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Temp\jna-92896885\	Jump to behavior

Source: HOSTNAME.EXE, 0000003F.00000002.2574638973.00000000035A7000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll6
Source: java.exe, 00000002.00000003.2336599116.000000001526E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.2336599116.000000001526E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.2634831559.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.2336599116.000000001526E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.2634831559.00000000011EB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.2336599116.000000001526E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.2634831559.00000000011EB000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000007.00000002.2384151808.000000000312B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000009.00000002.2390743005.0000000002E2B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000B.00000002.2391772355.000000000071B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000D.00000002.2393171830.00000000005AB000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000000F.00000002.2393718763.000000000318A000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000011.00000002.2396370562.000000000331B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000013.00000002.2429153593.0000000002C2B000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000015.00000002.2429741661.0000000002FCA000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 00000019.00000002.2431834990.0000000002BFB000.00000004.00000020.00020000.00000000.sdmp, HOSTNAME.EXE, 0000001B.00000002.2432616954.0000000000A3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: HOSTNAME.EXE, 00000017.00000002.2430996591.0000000002E3B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^^

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Source: C:\Windows\SysWOW64\tasklist.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\tasklist.exe tasklist	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic path win32_VideoController get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic cpu get name	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic os get Caption /value	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\HOSTNAME.EXE hostname	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: unknown unknown	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6880 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Web Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\cookies.txt VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Microsoft\edgepass.txt VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Stealing of Sensitive Information

Yara detected Can Stealer

Source: Yara match	File source: 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6880, type: MEMORYSTR

Tries to harvest and steal browser information (history, passwords, etc)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Network\Cookies	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Microsoft\Edge\User Data\Default\Login Data	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Web Data	Jump to behavior

Source: Yara match

File source: Process Memory Space: java.exe PID: 6880, type: MEMORYSTR

Remote Access Functionality

Yara detected Can Stealer

Source: Yara match	File source: 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6880, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Services File Permissions Weakness	11 Process Injection	1 Masquerading	1 OS Credential Dumping	11 Security Software Discovery	Remote Services	1 Archive Collected Data	1 Web Service	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	2 Command and Scripting Interpreter	1 DLL Side-Loading	1 Services File Permissions Weakness	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	1 Data from Local System	12 Encrypted Channel	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	2 Exploitation for Client Execution	Logon Script (Windows)	1 DLL Side-Loading	1 Disable or Modify Tools	Security Account Manager	2 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	Login Hook	11 Process Injection	NTDS	1 File and Directory Discovery	Distributed Component Object Model	Input Capture	2 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Obfuscated Files or Information	LSA Secrets	13 System Information Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	Wi-Fi Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
bZPAo2e2Pv.jar	16%	ReversingLabs	Package.Trojan.Generic
bZPAo2e2Pv.jar	100%	Avira	JAVA/Spy.Agent.wlsah

Dropped Files

Source	Detection	Scanner	Label	Link
C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll	0%	ReversingLabs
C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-40faf7a8-eb23-48f9-802d-09995356935d-sqlitejdbc.dll	0%	ReversingLabs

Source	Detection	Scanner	Label
http://www.chambersign.orgC	0%	Avira URL Cloud	safe
http://repository.swisssign.com/C	0%	Avira URL Cloud	safe
https://ocsp.quovadisoffshore.comK	0%	Avira URL Cloud	safe
https://canstlr.xyz/api/v6/guilds/	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersroot.htmlC	0%	Avira URL Cloud	safe
https://cdn.disco	0%	Avira URL Cloud	safe
https://canstlr.xyz/api/v6/users/	0%	Avira URL Cloud	safe
https://paste-pgpj.onrender.com/?p=12	0%	Avira URL Cloud	safe
http://repository.swisssign.com/3	0%	Avira URL Cloud	safe
https://repository.luxtrust.lu3(w	0%	Avira URL Cloud	safe
http://repository.swisssign.com/S	0%	Avira URL Cloud	safe
https://canstlr.xyz/a	0%	Avira URL Cloud	safe
http://www.quovadis.bmk	0%	Avira URL Cloud	safe
https://canstlr.xyz/apple4	0%	Avira URL Cloud	safe
http://repository.swisssign.com/k	0%	Avira URL Cloud	safe
http://cps.chambersign.org/cps/chambersroot.htmlk	0%	Avira URL Cloud	safe
https://canstlr.xyz/apple3	0%	Avira URL Cloud	safe
https://paste-pgpj.onrender.com/?p=	0%	Avira URL Cloud	safe
http://crl.chambersign.org/chambersroot.crlk	0%	Avira URL Cloud	safe
http://policy.camerfirma.com#	0%	Avira URL Cloud	safe
https://canstlr.xyz/apple3C	0%	Avira URL Cloud	safe
https://canstlr.xyC	0%	Avira URL Cloud	safe
https://canstlr.xyz/ap3	0%	Avira URL Cloud	safe
https://canstlr.xyz/api/v9/users/	0%	Avira URL Cloud	safe
https://canstlr.xyz/	0%	Avira URL Cloud	safe
http://policy.camerfirma.comk	0%	Avira URL Cloud	safe
https://repository.luxtrust.lus(w	0%	Avira URL Cloud	safe
https://repository.luxtrust.lu;	0%	Avira URL Cloud	safe

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Reputation
github.com	20.233.83.145	true	false	high
api.telegram.org	149.154.167.220	true	false	high
api.gofile.io	45.112.123.126	true	false	high
canstlr.xyz	unknown	unknown	true	unknown

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://www.chambersign.orgC	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.steampowered.com/ISteamUser/GetPlayerSummaries/v0002/?key=440D7F4D810EF9298D25EDDF37C1F9	java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org	java.exe, 00000002.00000002.2635926954.000000000519D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canstlr.xyz/api/v6/guilds/	java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/C	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.telegram.org/bot	java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2635926954.00000000052EF000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://github.com	java.exe, 00000002.00000002.2635926954.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org1	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steampowered.com/IPlayerService/GetSteamLevel/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s	java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com	java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/3	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.comK	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://canstlr.xyz/api/v6/users/	java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.securetrust.com/STCA.crl0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://paste-pgpj.onrender.com/?p=12	java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://cps.chambersign.org/cps/chambersroot.htmlC	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.disco	java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://repository.luxtrust.lu	java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadisglobal.com/cps0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu3(w	java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/k	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://canstlr.xyz/a	java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://repository.swisssign.com/S	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://ocsp.quovadisoffshore.com0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bmk	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://github.com/sonriseclient/bneapple-startup-5947/raw/refs/heads/main/Java.jar	java.exe, 00000002.00000002.2635926954.0000000004EDB000.00000004.00000800.00020000.00000000.sdmp	false		high
http://repository.swisssign.com/	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.chambersign.org	java.exe, 00000002.00000002.2654014012.000000000A94C000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk/sendMessage	java.exe, 00000002.00000002.2635926954.000000000519D000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canstlr.xyz/apple4	java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://policy.camerfirma.com0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canstlr.xyz/apple3	java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://cdn.discordapp.com/embed/avatars/0.png8	java.exe, 00000002.00000002.2659859380.0000000016560000.00000004.00000020.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.htmlk	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://paste-pgpj.onrender.com/?p=	java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://api.gofile.io/servers	java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crlk	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000002.00000002.2654014012.000000000A3F7000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.com#	java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://canstlr.xyz/apple3C	java.exe, 00000002.00000002.2635926954.0000000005088000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://java.oracle.com/	java.exe, 00000002.00000002.2654014012.000000000A350000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658265307.00000000156BD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398969302.0000000015708000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398660167.00000000156C6000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk	java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.steampowered.com/IPlayerService/GetOwnedGames/v1/?key=440D7F4D810EF9298D25EDDF37C1F902&s	java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2658929285.0000000015A50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false		high
https://canstlr.xyC	java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://www.quovadisglobal.com/cps	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.gofile.io/serversk	java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false		high
http://cps.chambersign.org/cps/chambersroot.html	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot7771186573:AAHGj8VtumJ9kjTUYRUQm886fmn2UiPGXSk/sendMessageSC/	java.exe, 00000002.00000002.2635926954.0000000005188000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.telegram.org/bot;U/	java.exe, 00000002.00000002.2635926954.000000000525B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canstlr.xyz/ap3	java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://canstlr.xyz/api/v9/users/	java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.securetrust.com/STCA.crl	java.exe, 00000002.00000002.2654014012.000000000A66A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false		high
https://canstlr.xyz/	java.exe, 00000002.00000002.2635926954.0000000004E3E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
http://crl.xrampsecurity.com/XGCA.crl0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://api.tele	java.exe, 00000002.00000003.2398411038.000000001686B000.00000004.00000020.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lus(w	java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/embed/avatars/0.png	java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://www.quovadis.bm	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://www.quovadis.bm0	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
http://policy.camerfirma.comk	java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown
https://cdn.discordapp.com/avatars/	java.exe, 00000002.00000002.2659859380.0000000016852000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2398411038.00000000168F8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000003.2454643064.00000000168E9000.00000004.00000020.00020000.00000000.sdmp	false		high
http://crl.chambersign.org/chambersroot.crl	java.exe, 00000002.00000002.2654014012.000000000A790000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2654014012.000000000AC97000.00000004.00000800.00020000.00000000.sdmp	false		high
https://repository.luxtrust.lu;	java.exe, 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	ASN	ASN Name	Malicious
149.154.167.220	api.telegram.org	United Kingdom	62041	TELEGRAMRU	false
45.112.123.126	api.gofile.io	Singapore	16509	AMAZON-02US	false
20.233.83.145	github.com	United States	8075	MICROSOFT-CORP-MSN-AS-BLOCKUS	false

General Information

Joe Sandbox version:	41.0.0 Charoite
Analysis ID:	1560317
Start date and time:	2024-11-21 16:59:16 +01:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 10m 33s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	79
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	bZPAo2e2Pv.jar renamed because original name is a hash value
Original Sample Name:	45cbb31ac832781dcd07ed72c7d947ed9060453b5bbd44b2b8f7955dbc283d9d.jar
Detection:	MAL
Classification:	mal92.troj.spyw.expl.winJAR@119/15@5/3
EGA Information:	Failed
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 2
Cookbook Comments:	Found application associated with file extension: .jar

Warnings

Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target java.exe, PID 6880 because there are no executed function
Not all processes where analyzed, report is missing behavior information
Reached maximum number of file to list during submission archive extraction
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtSetInformationFile calls found.
Report size getting too big, too many NtWriteFile calls found.
VT rate limit hit for: bZPAo2e2Pv.jar

Simulations

Behavior and APIs

Time	Type	Description
11:00:27	API Interceptor	6x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
149.154.167.220	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse
45.112.123.126	iDvmIRCPBw.exe	Get hash	malicious	Unknown	Browse
	ZdXUGLQpoL.exe	Get hash	malicious	Unknown	Browse
	jaPB8q3WL1.exe	Get hash	malicious	Unknown	Browse
	yx7VCK1nxU.exe	Get hash	malicious	Unknown	Browse
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse
	file.exe	Get hash	malicious	CStealer	Browse
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse
	file.exe	Get hash	malicious	LummaC, Amadey, LummaC Stealer, Stealc, Vidar	Browse
	Creal.exe	Get hash	malicious	Creal Stealer	Browse
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse
20.233.83.145	https://linkchainsfix.vercel.app/	Get hash	malicious	HTMLPhisher	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
api.gofile.io	iDvmIRCPBw.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
	ZdXUGLQpoL.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
	jaPB8q3WL1.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
	yx7VCK1nxU.exe	Get hash	malicious	Unknown	Browse	45.112.123.126
	RuntimeusererVers.exe	Get hash	malicious	Python Stealer	Browse	45.112.123.126
	file.exe	Get hash	malicious	CStealer	Browse	45.112.123.126
	dens.exe	Get hash	malicious	Python Stealer, Exela Stealer, Waltuhium Grabber	Browse	45.112.123.126
	Creal.exe	Get hash	malicious	Creal Stealer	Browse	45.112.123.126
	#U0416#U0430#U0440#U043a#U043e#U0432#U0430 .exe	Get hash	malicious	Blank Grabber, Creal Stealer	Browse	45.112.123.126
	https://gofile.io/d/IAr464	Get hash	malicious	Unknown	Browse	45.112.123.126
github.com	https://github.com/karakun/OpenWebStart/releases/download/v1.10.1/OpenWebStart_windows-x64_1_10_1.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	kIMPADTn5g.jar	Get hash	malicious	Caesium Obfuscator, STRRAT	Browse	140.82.121.3
	SWIFT-MT103-17112024.js	Get hash	malicious	STRRAT	Browse	140.82.121.3
	SWIFT-MT103-17112024.js	Get hash	malicious	STRRAT	Browse	140.82.121.3
	Nota1893.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	Requerimento.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	Nota1893.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	Requerimento.exe	Get hash	malicious	Unknown	Browse	140.82.121.4
	VerificarRequerimento.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
	VerificarRequerimento.exe	Get hash	malicious	Unknown	Browse	140.82.121.3
api.telegram.org	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
	ORDER 20240986 OA.exe	Get hash	malicious	GuLoader, Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	Documents.pdf.exe	Get hash	malicious	MassLogger RAT	Browse	149.154.167.220
	DEVIS_VALIDE.js	Get hash	malicious	XWorm	Browse	149.154.167.220

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
TELEGRAMRU	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	149.154.167.99
	order requirements CIF-TRC809945210.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	qaHUaPUib8.exe	Get hash	malicious	Unknown	Browse	149.154.167.99
	Updated Invoice_0755404645-2024_pdf.exe	Get hash	malicious	Unknown	Browse	149.154.167.220
	CONTRACT COPY PRN00720387_pdf.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Request for Quotation MK FMHS.RFQ.24.11.21.bat.exe	Get hash	malicious	Snake Keylogger, VIP Keylogger	Browse	149.154.167.220
	PO-841122676_g787.exe	Get hash	malicious	GuLoader	Browse	149.154.167.220
	Wire slip account payable.pif.exe	Get hash	malicious	AgentTesla	Browse	149.154.167.220
	Order requirements CIF Greece_pdf.exe	Get hash	malicious	GuLoader, Snake Keylogger	Browse	149.154.167.220
AMAZON-02US	OGo8AQxn4k.vbs	Get hash	malicious	Unknown	Browse	185.166.143.48
	3o2WdGwcLF.vbs	Get hash	malicious	Unknown	Browse	185.166.143.50
	Mandatory Notice for all December Leave and Vacation application.exe	Get hash	malicious	FormBook	Browse	13.248.169.48
	la.bot.arm5.elf	Get hash	malicious	Unknown	Browse	34.243.160.129
	https://bitly.cx/aMW9O9	Get hash	malicious	Unknown	Browse	18.200.123.41
	dvLKUpkeV8.elf	Get hash	malicious	Unknown	Browse	54.171.230.55
	phish_alert_sp2_2.0.0.0.eml	Get hash	malicious	HTMLPhisher	Browse	13.248.176.92
	https://url.uk.m.mimecastprotect.com/s/1u4eCqxlyukZk7ltZfxHE-ELz?domain=andy-25.simvoly.com	Get hash	malicious	HTMLPhisher	Browse	18.245.31.108
	https://cardpayment.microransom.us/XYmdKR004c2prdTQ3eFRYdTZlUlAwSGhsclU2V3JnMWpuZ2h3Njg2emV0U3ZLY1Z4RkpNZm9HbkpHck9SNjFHb01Yem5jSDVSb2RmaXRIWUNvN2g1UHR4NlNzM05yeWg0R2VJSzhzSFlRVTN6UFZHYWpZSUxBeXpsYmtPMjFua1J5RFlLdm5OUVBGRnl2UWRxSjhpUFRwL1VXS1RqNEJjMmJwNkVPOVkvV2o3S3R0MkYzS1VXOG5uS1hHVll2eDdUb3hmcGtBb2VBTUdHc3hweEtXV25WRVZKdDBwWCtVZGtobzFsamp3PS0tYVREdUlIcWNwNFJ5RjAxci0tQWs2bGpCejYzaGsxMWJqSll4TWFNQT09?cid=293298779	Get hash	malicious	KnowBe4	Browse	52.214.139.140
MICROSOFT-CORP-MSN-AS-BLOCKUS	November Billing.html	Get hash	malicious	HTMLPhisher	Browse	13.107.246.63
	Quote Request.eml	Get hash	malicious	HTMLPhisher	Browse	52.98.151.66
	u.xls	Get hash	malicious	Braodo	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.63
	file.exe	Get hash	malicious	LummaC, Amadey, Credential Flusher, Cryptbot, LummaC Stealer, Stealc	Browse	94.245.104.56
	S0FTWARE.exe	Get hash	malicious	Stealc, Vidar	Browse	94.245.104.56
	https://1drv.ms/o/c/1ba8fd2bd98c98a8/EmMMbLWVyqxBh9Z6zxri2ZUBVkwUpSiY2KbvhupkdaFzGA?e=F6pNlD	Get hash	malicious	Unknown	Browse	52.108.8.12
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.44
	Kellyb Timesheet Report.pdf	Get hash	malicious	HTMLPhisher	Browse	20.190.159.68
	file.exe	Get hash	malicious	LummaC	Browse	13.107.246.44

JA3 Fingerprints

⊘No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link
C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll	soinjector.exe	Get hash	malicious	Unknown	Browse
	https://www.eclipse.org/downloads/download.php?file=/oomph/epp/2024-03/R/eclipse-inst-jre-win64.exe	Get hash	malicious	Unknown	Browse
C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-40faf7a8-eb23-48f9-802d-09995356935d-sqlitejdbc.dll	soinjector.exe	Get hash	malicious	Unknown	Browse

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.935546689086913
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4USakEy:oJ5baa
MD5:	B7F773E4FCD0D9055CDB961B9C0FAB18
SHA1:	74D5CD20E771D44889BB67093DD33E308A7BA90A
SHA-256:	85FFBEB365FC0BA7561D48C357B32B8CFD09EFF6129F0686FE99F81CFB02AC26
SHA-512:	E8BC09585EA3F8D83997CA38F171FEEB58B919402B12C66CB5B5D191DE91E0A6544DE8D72CB20F7F8ADB00B2DF237D824FAA4405FD297C504F062046D5354C55
Malicious:	false
Preview:	C:\Program Files (x86)\Java\jre-1.8..1732204817554..

C:\Users\user\AppData\Local\Microsoft\179605.zip

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	569183
Entropy (8bit):	7.998402227577905
Encrypted:	true
SSDEEP:	12288:dp71wxFJSeZcG5LhXbv17au+7KBXS1Ftn5Co0k7dcUd:exTFcehb+7+EF2o3hd
MD5:	EFFA00FCDEFB3A27212A5FB20917D150
SHA1:	D20B3AD2BB2E8BAD839484508CDEF64D677C61FF
SHA-256:	DBADC07EEFADDA4EADBD3688E841F5FB2D6D5B5295E134EFBF095933576FC274
SHA-512:	6E0FE85EABEA938532FFADFB92D47DD8BE5BEBFC36BFB5805C2ED398E4DFC3B921351225B966B1A2DC929EB9E1489D9EACB88B937A91E45B7AE570101DB1D9C8
Malicious:	false
Preview:	PK.........XuY............"...Browsers/Chrome/Default/cookie.txt...vC0.....]bI.s..8jU...:n...'T(}....O.....R...0.7.0?..BM...Fu.O.... .B. .....xpm@1.......j../..'..e...xb..`}~..F...cq.4..=f.K...4..2.\.....I...W..(q.!.+L.........tR........\.ZWh.#f.Y\W"...Dr2d.s.d.>.7.PK.....B........PK.........XuY............$...Browsers/Microsoft Edge/password.txt..PK..............PK.........XuY................Game/craftrise.txt.........PK..g.C.........PK.........XuY................Game/sonoyuncu.txt.........PK..g.C.........PK.........XuY................screenshot.png..uT....gw...QA%...D.T.]r..n..D..[@...RKH,-].4H#./...93s.9.......y..j..2...@....=...........C.....T^.}..i......$.[.@E..^.s..z...t..j.u?cl7...D.e.<.#.>C...:-..C....W.:U..z....M...........A].n......:P.^....W.x[..Z...m.Dj....{t....KH.Ml.G<N#..s.kO+.R..IJ9n...,.M".......z...O....O.N..-_c)ci9.+..p..+.......?b.NU.....>.....v...Wd..G..p_..a....,)......x\.....S.4..`.}.......#..a.W.f.j.QO.M.ykL...no

C:\Users\user\AppData\Local\Microsoft\179605\Browsers\Chrome\Default\cookie.txt (copy)

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	273
Entropy (8bit):	5.825524542035742
Encrypted:	false
SSDEEP:	6:Pk3rocHDyzxb6t+3rocHDKJJch1URW6Di7zxJVdGIIn5kT/C:c79EU+79LODyxIn5N
MD5:	3CCFB5196DF424FFC2A0D9B9C6522529
SHA1:	006A97F1810291522345DEB3A435B0F994747BB6
SHA-256:	44EF3C31F63DDFC34F18D4140A9DCB055403B66B3E7B1876D01C6E94BB29F1AE
SHA-512:	98C8D149EE74F6F66B92159241F705D9BFB2BB918777BA36CF183D5B7A7A5BC73F0CBB4F55CF9DDE5AF637020B605032F1F7506F02FEACB03C8A66EDB949155F
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-05-12..google.com.TRUE./.FALSE.2597573456.NID.511=mmbjHIW3BhoJp_WlyHkUgqKZXD6pmTuADdoAp_PDxA2xahtsaif4BkKrvmLt4wLjq-7-tV9jZcxMj0sSIltFFvmFpAzc_q0UIMqMpOy-URy1YhAsmGKzZ62a7Pl0LYofsu9x2N5Be-7OSAD_ZTgfoYvoKMStu7thwi0QM0tTIr8.

C:\Users\user\AppData\Local\Microsoft\179605\Game\craftrise.txt

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	2.186704345910025
Encrypted:	false
SSDEEP:	3:blVOM:BVj
MD5:	C4E084CD947C96A0B82B02C634540789
SHA1:	DE91618BAF7ECCBAD86A0610176B6BE79E16A094
SHA-256:	C926A5B9148DEECB9084D03187B9297B501296DE20F87DB2B689066C3FBB34D2
SHA-512:	C2D288B2EE229C8EDD1250284322A118B06A847AD05E076F4F028ACD5A060864A4F6DBE77C091707AFF49663E3A6D7C8E173DDC83220C44DF6468C02E7EB7E85
Malicious:	false
Preview:	Yokki:Yokki

C:\Users\user\AppData\Local\Microsoft\179605\Game\sonoyuncu.txt

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	ASCII text, with no line terminators
Category:	dropped
Size (bytes):	11
Entropy (8bit):	2.186704345910025
Encrypted:	false
SSDEEP:	3:blVOM:BVj
MD5:	C4E084CD947C96A0B82B02C634540789
SHA1:	DE91618BAF7ECCBAD86A0610176B6BE79E16A094
SHA-256:	C926A5B9148DEECB9084D03187B9297B501296DE20F87DB2B689066C3FBB34D2
SHA-512:	C2D288B2EE229C8EDD1250284322A118B06A847AD05E076F4F028ACD5A060864A4F6DBE77C091707AFF49663E3A6D7C8E173DDC83220C44DF6468C02E7EB7E85
Malicious:	false
Preview:	Yokki:Yokki

C:\Users\user\AppData\Local\Microsoft\179605\screenshot.png

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	PNG image data, 1280 x 1024, 8-bit/color RGB, non-interlaced
Category:	dropped
Size (bytes):	572822
Entropy (8bit):	7.9241520789903
Encrypted:	false
SSDEEP:	12288:PxSmIZc5tB2NZHLcJQwFovdXs4pXhVVeQfnd0lpoHgF7GdoTm:PAmwKaE8vdJpzbnilaHUiX
MD5:	D681BD559F47FDDECFC54EC2432E897F
SHA1:	05DDEDF90606697A1FF6F45DEFF619BF5413F387
SHA-256:	7465EE1A6394FA8DFD62BF6554419DEE2952BB65D786865095F5E1103C35D422
SHA-512:	227590745926C6E2D3E0C7A4AF2083E94D3DA138F4448793EDC495F606A6A4B96952675328680A7EA353C3D6973644B9335F12DC307C52A525840332198A5863
Malicious:	false
Preview:	.PNG........IHDR.............1.c.....IDATx..y...u.U.7.C..........{.b.g.D.....A.;...B..7.....D..(J.wR\....J\DY...@/..;@. .}k.....B.s2O.[_VUWU/h..q"../.L..~:...y.O.A.1u...-....9.-:.M.g....O..O."oa....S..@i.Xp.h....w.J<y.{.(..o........&.#.).sW.G....9....>.C.....x.PF%.(@...fS.>_.{;..m_...@.%.)@.....}.)......)Z....UI.....w.N..]...i.....J.N....w..m.......<..mk.-9..N.J..;.Ub...f_.....+..w.R......gV.7..5...3..._y.....6I.-...}.5o..J.Q.bMi].)....nYO.\|a.............V%7...7....Z...x.....Ti.n.5.k..V...8\|.Z.K..d.....Be7....>.....:y.j.V..\|....;J.CXP.7..f.U.-.~U...9.5{U.u..Y.m.V,.S>w.n..p..9.+........q-..Y.....df[bz...M.h...;P......%.[..@.i......UX....3...%.iNLm.dZK.MPrZc...k.\|f+...xZ6......0...~....k..5..5oK.iLNYY2.....fJS.K.4@\$'.C%.W.N...J&7B.)n...J'6.LX.......M.n...M,..I.Z@\|..q...T>..lB..\.^.29..d\|=...S.;..Y9...:..7jybl-.zcjp...&>.M~......&4T..........IM..i..Zl..n*..P:ve......M...\^5...J..SX..6...x.k......>>.a.\@.....-...

C:\Users\user\AppData\Local\Microsoft\cookies.txt

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	ASCII text
Category:	dropped
Size (bytes):	273
Entropy (8bit):	5.825524542035742
Encrypted:	false
SSDEEP:	6:Pk3rocHDyzxb6t+3rocHDKJJch1URW6Di7zxJVdGIIn5kT/C:c79EU+79LODyxIn5N
MD5:	3CCFB5196DF424FFC2A0D9B9C6522529
SHA1:	006A97F1810291522345DEB3A435B0F994747BB6
SHA-256:	44EF3C31F63DDFC34F18D4140A9DCB055403B66B3E7B1876D01C6E94BB29F1AE
SHA-512:	98C8D149EE74F6F66B92159241F705D9BFB2BB918777BA36CF183D5B7A7A5BC73F0CBB4F55CF9DDE5AF637020B605032F1F7506F02FEACB03C8A66EDB949155F
Malicious:	false
Preview:	.google.com.TRUE./.FALSE.2597573456.1P_JAR.2023-10-05-12..google.com.TRUE./.FALSE.2597573456.NID.511=mmbjHIW3BhoJp_WlyHkUgqKZXD6pmTuADdoAp_PDxA2xahtsaif4BkKrvmLt4wLjq-7-tV9jZcxMj0sSIltFFvmFpAzc_q0UIMqMpOy-URy1YhAsmGKzZ62a7Pl0LYofsu9x2N5Be-7OSAD_ZTgfoYvoKMStu7thwi0QM0tTIr8.

C:\Users\user\AppData\Local\Temp\edge_tempfile.db

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 7, database pages 89, cookie 0x36, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	196608
Entropy (8bit):	1.1220068301579391
Encrypted:	false
SSDEEP:	384:r2qOB1nxCkvSAELyKOMq+8JoudpfjOLl:aq+n0E9ELyKOMq+8qu3SJ
MD5:	87EE0BBB38B11E14090EF60A7D56C8B1
SHA1:	37966F94007814B687989937B4A299FA816581ED
SHA-256:	22CD1C8F26B721A19A1E9108D16AB419ABAD17D34ACDA62CAE3004014D88437E
SHA-512:	37572D4B5A336BC8220B9CF64F8F2D6041C68A449C582221C5C62A3BA1D8D4CA5C241C9383038EBF3D2787CF4AB9F7370E1A3C4AC7D6EC0A942FC41CD7917266
Malicious:	false
Preview:	SQLite format 3......@ .......Y...........6......................................................j............W........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6880

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3084151402718946
Encrypted:	false
SSDEEP:	96:e1ANr4NB8GS+i1H80cXcF5KHoxI4M3PKkGSFNHE1zo26:e1Z78GS+cc0csFi4BUfHE5
MD5:	D6507BACD255B32B7519C1BD6A1C61ED
SHA1:	DDCA4A3570B8D2F453B268B412536D68BF85535B
SHA-256:	D5C3BC7560C4FFDF5C8D1DDCCACEF95459D08AD3C19489AB54E53533F286AD6A
SHA-512:	2F8B270291EDDB95713676DA35FF503BCAD8703C54D7B387A7892034EDB7BD7CB62F5052C7724764B5E8E8CDB36CBC791A9FC2681BC2FF5083F0975E4E35ABE0
Malicious:	false
Preview:	.........9.............. .......8...........J...0...sun.rt._sync_Inflations.....".......8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..h.......@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..`.......8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Category:	dropped
Size (bytes):	211456
Entropy (8bit):	6.575456249068181
Encrypted:	false
SSDEEP:	3072:XsYkXwU8MpSFif9jejzCvjrEt1++W9WCrHudSzoNyLXX4Fv/IK9zFaTsXvXs9G44:XFL/myjzss1++kQCo2XMLvXs9G4q2c
MD5:	E15183EF9C6C255B76FDA73D01CA7ECB
SHA1:	F816F998C43204230D9EA3EECFFB5F8372A32C2E
SHA-256:	38650A0612730C52580C9F32FF766B44B1C5A426D52E7DD7A53687BF3389AC2C
SHA-512:	EC5D7CB3A209C4A1C60BB374755F2809AE892530439FADAB335569BBBF8937DD209F9FAC27393C66371594DAEAD30545F465D25C4DB48CB519BDB50964EF756B
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: soinjector.exe, Detection: malicious, Browse Filename: , Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........!:..@T..@T..@T..(W..@T..(Q.S@T..(P..@T..4Q..@T..4P..@T..4W..@T..(U..@T..@U..@T..4W..@T..@T..@T..4P..@T..4T..@T..4V..@T.Rich.@T.........PE..L....}.c...........!.....N..........?R.......`............................................@.............................T...$...<....@.......................P... ..\|...................................@............`..0............................text....M.......N.................. ..`.rdata...\|...`...~...R..............@..@.data...\Q.......D..................@....rsrc........@......................@....reloc... ...P..."..................@..B................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-40faf7a8-eb23-48f9-802d-09995356935d-sqlitejdbc.dll

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
Category:	dropped
Size (bytes):	889856
Entropy (8bit):	6.420545484819812
Encrypted:	false
SSDEEP:	24576:4h2l/NT2mP8kBDZJMa1DDGITUQYBgouZbU/OMF/0J9Jsz/p0:t7JNtDAfgNEOMF/0Jw
MD5:	5A71D86A23A6CF63244885748D3AF5B8
SHA1:	C5B4B5269B3B5A0B18E0CAB4C07CB0CB136A3AAD
SHA-256:	52A9A1CE0F110563AF4AE34B83A5C256062944CB2B294EEBB05E2568E2AE5977
SHA-512:	118D3D13D592226C4C2F873687FC15245853D1E1140406A31A46B3E60AB7AABBD6B5F2224DDD151F32A7821A48F1C1CAA481D7270E2F673B2E1FCF33A9AB688C
Malicious:	false
Antivirus:	Antivirus: ReversingLabs, Detection: 0%
Joe Sandbox View:	Filename: soinjector.exe, Detection: malicious, Browse
Preview:	MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L..................#......................... .....e................................O......... ......................`..#....p..l................................E..................................................dr...............................text...............................`.P`.data...\|.... ......................@.p..rdata.. ....@.......*..............@.p@.bss....(....P........................p..edata..#....`.......,..............@.0@.idata..l....p.......:..............@.0..CRT....,............J..............@.0..tls.... ............L..............@.0..reloc...E.......F...N..............@.0B........................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tempfile.db

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 25, cookie 0xe, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	51200
Entropy (8bit):	0.8746135976761988
Encrypted:	false
SSDEEP:	96:O8mmwLCn8MouB6wzFlOqUvJKLReZff44EK:O8yLG7IwRWf4
MD5:	9E68EA772705B5EC0C83C2A97BB26324
SHA1:	243128040256A9112CEAC269D56AD6B21061FF80
SHA-256:	17006E475332B22DB7B337F1CBBA285B3D9D0222FD06809AA8658A8F0E9D96EF
SHA-512:	312484208DC1C35F87629520FD6749B9DDB7D224E802D0420211A7535D911EC1FA0115DC32D8D1C2151CF05D5E15BBECC4BCE58955CFFDE2D6D5216E5F8F3BDF
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tempfile1.db

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, file counter 7, database pages 5, cookie 0x5, schema 4, UTF-8, version-valid-for 7
Category:	dropped
Size (bytes):	20480
Entropy (8bit):	0.6732424250451717
Encrypted:	false
SSDEEP:	24:TLO1nKbXYFpFNYcoqT1kwE6UwpQ9YHVXxZ6HfB:Tq1KLopF+SawLUO1Xj8B
MD5:	CFFF4E2B77FC5A18AB6323AF9BF95339
SHA1:	3AA2C2115A8EB4516049600E8832E9BFFE0C2412
SHA-256:	EC8B67EF7331A87086A6CC085B085A6B7FFFD325E1B3C90BD3B9B1B119F696AE
SHA-512:	0BFDC8D28D09558AA97F4235728AD656FE9F6F2C61DDA2D09B416F89AB60038537B7513B070B907E57032A68B9717F03575DB6778B68386254C8157559A3F1BC
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j...$......g..........................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Local\Temp\tempfile2.db

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	SQLite 3.x database, last written using SQLite version 3042000, page size 2048, file counter 1, database pages 20, cookie 0xb, schema 4, UTF-8, version-valid-for 1
Category:	dropped
Size (bytes):	40960
Entropy (8bit):	0.8553638852307782
Encrypted:	false
SSDEEP:	48:2x7BA+IIF7CVEq8Ma0D0HOlf/6ykwp1EUwMHZq10bvJKLkw8s8LKvUf9KVyJ7h/f:QNDCn8MouB6wz8iZqmvJKLPeymwil
MD5:	28222628A3465C5F0D4B28F70F97F482
SHA1:	1BAA3DEB7DFD7C9B4CA9FDB540F236C24917DD14
SHA-256:	93A6AF6939B17143531FA4474DFC564FA55359308B910E6F0DCA774D322C9BE4
SHA-512:	C8FB93F658C1A654186FA6AA2039E40791E6B0A1260B223272BB01279A7B574E238B28217DADF3E1850C7083ADFA2FE5DA0CCE6F9BCABD59E1FFD1061B3A88F7
Malicious:	false
Preview:	SQLite format 3......@ ..........................................................................j.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	data
Category:	dropped
Size (bytes):	45
Entropy (8bit):	0.9111711733157262
Encrypted:	false
SSDEEP:	3:/lwlt7n:WNn
MD5:	C8366AE350E7019AEFC9D1E6E6A498C6
SHA1:	5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
SHA-256:	11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
SHA-512:	33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
Malicious:	false
Preview:	........................................J2SE.

Static File Info

General

File type:	Java archive data (JAR)
Entropy (8bit):	7.974213977145014
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	bZPAo2e2Pv.jar
File size:	14'111'939 bytes
MD5:	0e929dc2d517690e49d95ec4ffeb067b
SHA1:	3793bd95395f32d677ed7877972ee38c1581089a
SHA256:	45cbb31ac832781dcd07ed72c7d947ed9060453b5bbd44b2b8f7955dbc283d9d
SHA512:	ef0d06229f34c798575fa5cdd7d81ad3be772ea1b395a32a853ec99bc9777f4503b9d64d869fe1f27cd2f84c7d1a2a0d197df16d3bb2d4459a50b5cb296bdf13
SSDEEP:	393216:QiFH942jpQGw1jiJyplw7JwO2UkI5LYvFAYmgsDiEt7t8:Qiz4KpQG+mJQlwSO2DvFAvZpJ8
TLSH:	55E612B3BDE1C829E927E0B251C2C562242A22DAE487D17F26E06DE65D71D470353FEC
File Content Preview:	PK..........MY............1...org/apache/commons/codec/language/bm/Rule$1.class.....TmO.`.=W...l....S...(( :@e.N.1bP?..@M.6.F4..d........G......!..nI..g=......_...L.H.....:...+.]*.V....).jmT..]Y+)...>0.....,.....h.........uA.....`.j.0..M.,.......T\....7..

File Icon


Icon Hash:	d08c8e8ea2868a54

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 17:00:23.953025103 CET	49711	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:23.953054905 CET	443	49711	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:23.953109980 CET	49711	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:24.136163950 CET	49711	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:24.136193991 CET	443	49711	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:25.719933987 CET	443	49711	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:25.720000982 CET	49711	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:25.742029905 CET	49711	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:25.742053032 CET	443	49711	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:25.793751955 CET	49711	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:25.793777943 CET	443	49711	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:25.794037104 CET	443	49711	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:25.794090033 CET	49711	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:25.794614077 CET	49711	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:25.794630051 CET	443	49711	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:37.510881901 CET	49717	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:37.510935068 CET	443	49717	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:37.511003017 CET	49717	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:37.516153097 CET	49717	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:37.516166925 CET	443	49717	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:38.931143045 CET	443	49717	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:38.931267023 CET	49717	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:38.991008997 CET	49717	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:38.991038084 CET	443	49717	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:39.040963888 CET	49717	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:39.040987015 CET	443	49717	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:39.041274071 CET	443	49717	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:39.041368008 CET	49717	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:39.041620016 CET	49717	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:39.041635036 CET	443	49717	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:39.375088930 CET	49718	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:39.375157118 CET	443	49718	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:39.375221968 CET	49718	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:39.379144907 CET	49718	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:39.379175901 CET	443	49718	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:40.806381941 CET	443	49718	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:40.806509972 CET	49718	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:40.811518908 CET	49718	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:40.811532021 CET	443	49718	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:40.814616919 CET	49718	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:40.814620972 CET	443	49718	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:40.814836979 CET	443	49718	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:40.814894915 CET	49718	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:40.814974070 CET	49718	443	192.168.2.12	45.112.123.126
Nov 21, 2024 17:00:40.814986944 CET	443	49718	45.112.123.126	192.168.2.12
Nov 21, 2024 17:00:43.141391039 CET	49719	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:43.141431093 CET	443	49719	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:43.141496897 CET	49719	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:43.144918919 CET	49719	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:43.144948959 CET	443	49719	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:44.573455095 CET	443	49719	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:44.573566914 CET	49719	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:44.598511934 CET	49719	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:44.598553896 CET	443	49719	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:44.646683931 CET	49719	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:44.646712065 CET	443	49719	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:44.647013903 CET	443	49719	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:44.647165060 CET	49719	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:44.647176981 CET	443	49719	149.154.167.220	192.168.2.12
Nov 21, 2024 17:00:44.647206068 CET	49719	443	192.168.2.12	149.154.167.220
Nov 21, 2024 17:00:45.170500994 CET	49720	443	192.168.2.12	20.233.83.145
Nov 21, 2024 17:00:45.170551062 CET	443	49720	20.233.83.145	192.168.2.12
Nov 21, 2024 17:00:45.170661926 CET	49720	443	192.168.2.12	20.233.83.145
Nov 21, 2024 17:00:45.181850910 CET	49720	443	192.168.2.12	20.233.83.145
Nov 21, 2024 17:00:45.181868076 CET	443	49720	20.233.83.145	192.168.2.12
Nov 21, 2024 17:00:46.917960882 CET	443	49720	20.233.83.145	192.168.2.12
Nov 21, 2024 17:00:46.918111086 CET	49720	443	192.168.2.12	20.233.83.145
Nov 21, 2024 17:00:46.923352957 CET	49720	443	192.168.2.12	20.233.83.145
Nov 21, 2024 17:00:46.923377037 CET	443	49720	20.233.83.145	192.168.2.12
Nov 21, 2024 17:00:46.927007914 CET	49720	443	192.168.2.12	20.233.83.145
Nov 21, 2024 17:00:46.927018881 CET	443	49720	20.233.83.145	192.168.2.12
Nov 21, 2024 17:00:46.927345037 CET	443	49720	20.233.83.145	192.168.2.12
Nov 21, 2024 17:00:46.927371979 CET	49720	443	192.168.2.12	20.233.83.145
Nov 21, 2024 17:00:46.927388906 CET	443	49720	20.233.83.145	192.168.2.12
Nov 21, 2024 17:00:46.927419901 CET	49720	443	192.168.2.12	20.233.83.145

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Nov 21, 2024 17:00:23.800260067 CET	55618	53	192.168.2.12	1.1.1.1
Nov 21, 2024 17:00:23.948230028 CET	53	55618	1.1.1.1	192.168.2.12
Nov 21, 2024 17:00:26.108284950 CET	50238	53	192.168.2.12	1.1.1.1
Nov 21, 2024 17:00:26.477524042 CET	53	50238	1.1.1.1	192.168.2.12
Nov 21, 2024 17:00:37.364867926 CET	52929	53	192.168.2.12	1.1.1.1
Nov 21, 2024 17:00:37.507278919 CET	53	52929	1.1.1.1	192.168.2.12
Nov 21, 2024 17:00:39.043621063 CET	59993	53	192.168.2.12	1.1.1.1
Nov 21, 2024 17:00:39.201754093 CET	53	59993	1.1.1.1	192.168.2.12
Nov 21, 2024 17:00:45.002383947 CET	54823	53	192.168.2.12	1.1.1.1
Nov 21, 2024 17:00:45.142535925 CET	53	54823	1.1.1.1	192.168.2.12

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Nov 21, 2024 17:00:23.800260067 CET	192.168.2.12	1.1.1.1	0x8b4f	Standard query (0)	api.gofile.io	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:26.108284950 CET	192.168.2.12	1.1.1.1	0xc496	Standard query (0)	canstlr.xyz	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:37.364867926 CET	192.168.2.12	1.1.1.1	0xc1c4	Standard query (0)	api.telegram.org	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:39.043621063 CET	192.168.2.12	1.1.1.1	0x167	Standard query (0)	canstlr.xyz	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:45.002383947 CET	192.168.2.12	1.1.1.1	0xdb9e	Standard query (0)	github.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Nov 21, 2024 17:00:23.948230028 CET	1.1.1.1	192.168.2.12	0x8b4f	No error (0)	api.gofile.io		45.112.123.126	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:26.477524042 CET	1.1.1.1	192.168.2.12	0xc496	Name error (3)	canstlr.xyz	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:37.507278919 CET	1.1.1.1	192.168.2.12	0xc1c4	No error (0)	api.telegram.org		149.154.167.220	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:39.201754093 CET	1.1.1.1	192.168.2.12	0x167	Name error (3)	canstlr.xyz	none	none	A (IP address)	IN (0x0001)	false
Nov 21, 2024 17:00:45.142535925 CET	1.1.1.1	192.168.2.12	0xdb9e	No error (0)	github.com		20.233.83.145	A (IP address)	IN (0x0001)	false

Target ID:	0
Start time:	11:00:16
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"" >> C:\cmdlinestart.log 2>&1
Imagebase:	0x1f0000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	11:00:16
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	11:00:16
Start date:	21/11/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\bZPAo2e2Pv.jar"
Imagebase:	0x4b0000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_CanStealer, Description: Yara detected Can Stealer, Source: 00000002.00000002.2659859380.00000000165E4000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_CanStealer, Description: Yara detected Can Stealer, Source: 00000002.00000002.2654014012.000000000AA1B000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	11:00:17
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x770000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	11:00:17
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	11:00:17
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\tasklist.exe
Wow64 process (32bit):	true
Commandline:	tasklist
Imagebase:	0x620000
File size:	79'360 bytes
MD5 hash:	0A4448B31CE7F83CB7691A2657F330F1
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	11:00:17
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	11:00:21
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	8
Start time:	11:00:21
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	9
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	14
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	11:00:22
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	11:00:25
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	11:00:25
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	11:00:25
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	11:00:25
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	11:00:25
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	24
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	25
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	26
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	27
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	28
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	29
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	30
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	31
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	32
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	33
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	34
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	35
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	36
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	37
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	38
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	39
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x810000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	40
Start time:	11:00:26
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	41
Start time:	11:00:28
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic cpu get name
Imagebase:	0x810000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	42
Start time:	11:00:28
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	45
Start time:	11:00:30
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic os get Caption /value
Imagebase:	0x810000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	46
Start time:	11:00:30
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	47
Start time:	11:00:31
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	48
Start time:	11:00:31
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	49
Start time:	11:00:32
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	50
Start time:	11:00:32
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	51
Start time:	11:00:32
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic path win32_VideoController get name
Imagebase:	0x810000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	52
Start time:	11:00:32
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	53
Start time:	11:00:33
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic cpu get name
Imagebase:	0x810000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	54
Start time:	11:00:33
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	55
Start time:	11:00:35
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic os get Caption /value
Imagebase:	0x810000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	56
Start time:	11:00:35
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	57
Start time:	11:00:38
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	58
Start time:	11:00:38
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	59
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	60
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0xb0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	61
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	62
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	63
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	64
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	65
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	66
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	67
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0x7ff6d82a0000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	68
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	69
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	70
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	71
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	72
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	73
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	74
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	75
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	76
Start time:	11:00:40
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	77
Start time:	11:00:41
Start date:	21/11/2024
Path:	C:\Windows\SysWOW64\HOSTNAME.EXE
Wow64 process (32bit):	true
Commandline:	hostname
Imagebase:	0xb50000
File size:	11'776 bytes
MD5 hash:	B1C51FED46434CF91E65C7B605F8EF3A
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	78
Start time:	11:00:41
Start date:	21/11/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff704000000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Function 16965F74 Relevance: .5, Instructions: 465COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.2398119230.000000001695E000.00000004.00000020.00020000.00000000.sdmp, Offset: 1695E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_1691e000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bdb7f6f68cc251e6e7a7dbc0ca507d0ba8fb7c57c965ea9937672e56bbe29a23
Instruction ID: a0a1349432aa3b5a8cac4b3f5c881e7fad2275a54d3ad646886c9f949f04340e
Opcode Fuzzy Hash: bdb7f6f68cc251e6e7a7dbc0ca507d0ba8fb7c57c965ea9937672e56bbe29a23
Instruction Fuzzy Hash: 0E02B4729053A69FD715CF28D8C52C9FFF6FE31628729648ED091CA217E321612ACF85

Function 16965C10 Relevance: .2, Instructions: 201COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000003.2398119230.000000001695E000.00000004.00000020.00020000.00000000.sdmp, Offset: 1695E000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_3_1691e000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f2e4b1d3342a36ed9c611ef8c779e6035526307d5137abe2b18ffa86d188a753
Instruction ID: 56140c72e1fe6546e0fc884a5489670e31d961230776026287af52dbbc4707b7
Opcode Fuzzy Hash: f2e4b1d3342a36ed9c611ef8c779e6035526307d5137abe2b18ffa86d188a753
Instruction Fuzzy Hash: 1971D1315052929FD3069F28D8C53C5FFF7FE3A218729759AD4A1CB222F3612029CB84

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse command and script interpreters to execute commands, scripts, or binaries. These interfaces and languages provide ways of interacting with computer systems and are a common feature across many different platforms. Most systems come with some built-in command-line interface and scripting capabilities, for example, macOS and Linux distributions include some flavor of Unix Shell while Windows installations include the Windows Command Shell and PowerShell .
Tactics:	Execution
Data Sources:	Command: Command Execution, Module: Module Load, Process: Process Creation, Process: Process Metadata, Script: Script Execution
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Network, Office 365, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to dump credentials to obtain account login and credential material, normally in the form of a hash or a clear text password, from the operating system and software. Credentials can then be used to perform Lateral Movement and access restricted information.
Tactics:	Credential Access
Data Sources:	Active Directory: Active Directory Object Access, Command: Command Execution, File: File Access, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow, Process: OS API Execution, Process: Process Access, Process: Process Creation, Windows Registry: Windows Registry Key Access
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may compress and/or encrypt data that is collected prior to exfiltration. Compressing the data can help to obfuscate the collected data and minimize the amount of data sent over the network. Encryption can be used to hide information that is being exfiltrated from detection or make exfiltration less conspicuous upon inspection by a defender.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Creation, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may search local system sources, such as file systems and configuration files or local databases, to find files of interest and sensitive data prior to Exfiltration.
Tactics:	Collection
Data Sources:	Command: Command Execution, File: File Access, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an existing, legitimate external Web service as a means for relaying data to/from a compromised system. Popular websites and social media acting as a mechanism for C2 may give a significant amount of cover due to the likelihood that hosts within a network are already communicating with them prior to a compromise. Using common services, such as those offered by Google or Twitter, makes it easier for adversaries to hide in expected noise. Web service providers commonly use SSL/TLS encryption, giving adversaries an added level of protection.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ a known encryption algorithm to conceal command and control traffic rather than relying on any inherent protections provided by a communication protocol. Despite the use of a secure algorithm, these implementations may be vulnerable to reverse engineering if secret keys are encoded and/or generated within malware samples/configuration files.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report bZPAo2e2Pv.jar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Memory Dumps

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Microsoft\179605.zip

C:\Users\user\AppData\Local\Microsoft\179605\Browsers\Chrome\Default\cookie.txt (copy)

C:\Users\user\AppData\Local\Microsoft\179605\Game\craftrise.txt

C:\Users\user\AppData\Local\Microsoft\179605\Game\sonoyuncu.txt

C:\Users\user\AppData\Local\Microsoft\179605\screenshot.png

C:\Users\user\AppData\Local\Microsoft\cookies.txt

C:\Users\user\AppData\Local\Temp\edge_tempfile.db

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6880

C:\Users\user\AppData\Local\Temp\jna-92896885\jna3139189163944155017.dll

C:\Users\user\AppData\Local\Temp\sqlite-3.20.1-40faf7a8-eb23-48f9-802d-09995356935d-sqlitejdbc.dll

C:\Users\user\AppData\Local\Temp\tempfile.db

C:\Users\user\AppData\Local\Temp\tempfile1.db

C:\Users\user\AppData\Local\Temp\tempfile2.db

C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06

Static File Info

General

File Icon

Network Behavior

Windows Analysis Report
bZPAo2e2Pv.jar