Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
Shipping Bill No6239999Dt09122024.PDF.jar

Overview

General Information

Sample name:Shipping Bill No6239999Dt09122024.PDF.jar
Analysis ID:1576666
MD5:fb02745de7ec057a90b207602e732be6
SHA1:c1ecc13f6f7b8043918cc17a4fb88fb29c6ba9d0
SHA256:84481aed848a500ec03fb0e95443a125eac073999aaf8391e221f72f75a33cb0
Tags:evilginx-misecure-comjaruser-JAMESWT_MHT
Infos:

Detection

Caesium Obfuscator, STRRAT
Score:96
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Suricata IDS alerts for network traffic
Yara detected Caesium Obfuscator
Yara detected STRRAT
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Sigma detected: Suspicious Startup Folder Persistence
Uses an obfuscated file name to hide its real file extension (double extension)
Uses schtasks.exe or at.exe to add and modify task schedules
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
Launches a Java Jar file from a suspicious file location
May check the online IP address of the machine
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Shell Process Spawned by Java.EXE
Sigma detected: Startup Folder File Write
Sigma detected: Suspicious Schtasks From Env Var Folder
Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 4308 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar"" >> C:\cmdlinestart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
    • conhost.exe (PID: 5844 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • java.exe (PID: 5356 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
      • icacls.exe (PID: 1480 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)
        • conhost.exe (PID: 4724 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 1076 cmdline: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5656 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • schtasks.exe (PID: 5728 cmdline: schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar" MD5: 48C2FE20575769DE916F48EF0676A965)
      • java.exe (PID: 6464 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
        • conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • cmd.exe (PID: 6160 cmdline: cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 4796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 6052 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list MD5: E2DE6500DE1148C7F6027AD50AC8B891)
        • cmd.exe (PID: 7056 cmdline: cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 2820 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 4744 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list MD5: E2DE6500DE1148C7F6027AD50AC8B891)
        • cmd.exe (PID: 2452 cmdline: cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 5680 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 3652 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list MD5: E2DE6500DE1148C7F6027AD50AC8B891)
        • cmd.exe (PID: 1276 cmdline: cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
          • conhost.exe (PID: 1352 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
          • WMIC.exe (PID: 4440 cmdline: wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list MD5: E2DE6500DE1148C7F6027AD50AC8B891)
  • javaw.exe (PID: 3376 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
  • javaw.exe (PID: 2788 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
  • javaw.exe (PID: 2292 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
  • javaw.exe (PID: 1524 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)
  • cleanup

Malware Configuration

Threatname: STRRAT

{"C2 list": "evilginx.misecure.com:1790", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "evilginx.misecure.com:1790", "lid": "RKA0-KES0-EPPK-UDRO-JNCG", "Startup": "true", "Secondary Startup": "true", "Scheduled Task": "true"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.3316810938.0000000009E28000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CaesiumObfuscatorYara detected Caesium ObfuscatorJoe Security
    0000001A.00000002.3316526296.0000000009F68000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_STRRATYara detected STRRATJoe Security
      0000001A.00000003.2460344060.0000000000E16000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CaesiumObfuscatorYara detected Caesium ObfuscatorJoe Security
        0000001A.00000002.3316526296.0000000009F98000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_CaesiumObfuscatorYara detected Caesium ObfuscatorJoe Security
          00000006.00000003.2107036191.0000000000D69000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_CaesiumObfuscatorYara detected Caesium ObfuscatorJoe Security
            Click to see the 24 entries

            Sigma Signatures

            System Summary

            barindex
            Sigma detected: Suspicious Startup Folder Persistence
            Source: File createdAuthor: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ProcessId: 5356, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jar
            Sigma detected: CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ProcessId: 5356, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Shipping Bill No6239999Dt09122024.PDF
            Sigma detected: Shell Process Spawned by Java.EXE
            Source: Process startedAuthor: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali: Data: Command: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", CommandLine: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 5356, ParentProcessName: java.exe, ProcessCommandLine: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", ProcessId: 1076, ProcessName: cmd.exe
            Sigma detected: Startup Folder File Write
            Source: File createdAuthor: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ProcessId: 5356, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jar
            Sigma detected: Suspicious Schtasks From Env Var Folder
            Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", CommandLine: schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 1076, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", ProcessId: 5728, ProcessName: schtasks.exe
            Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification
            Source: Registry Key setAuthor: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar", EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ProcessId: 5356, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Shipping Bill No6239999Dt09122024.PDF

            Suricata Signatures

            TimestampSIDSeverityClasstypeSource IPSource PortDestination IPDestination PortProtocol
            2024-12-17T11:43:20.848309+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:43:25.856866+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:43:30.871833+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:43:35.874229+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:43:40.943157+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:43:45.968656+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:43:50.961878+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:43:55.978065+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:00.996902+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:05.993443+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:11.008684+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:16.024361+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:21.026391+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:26.024696+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:31.024560+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:36.040246+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:41.055860+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:46.056015+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:51.072720+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:44:56.072129+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:45:01.087634+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:45:06.087037+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP
            2024-12-17T11:45:12.279601+010020303581Malware Command and Control Activity Detected192.168.2.549704194.59.30.1641790TCP

            Joe Sandbox Signatures

            Click to jump to signature section

            Show All Signature Results

            AV Detection

            barindex
            Found malware configuration
            Source: Shipping Bill No6239999Dt09122024.PDF.jarMalware Configuration Extractor: STRRAT {"C2 list": "evilginx.misecure.com:1790", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "evilginx.misecure.com:1790", "lid": "RKA0-KES0-EPPK-UDRO-JNCG", "Startup": "true", "Secondary Startup": "true", "Scheduled Task": "true"}
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\

            Software Vulnerabilities

            barindex
            Exploit detected, runtime environment starts unknown processes
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe

            Networking

            barindex
            Suricata IDS alerts for network traffic
            Source: Network trafficSuricata IDS: 2030358 - Severity 1 - ET MALWARE STRRAT CnC Checkin : 192.168.2.5:49704 -> 194.59.30.164:1790
            Source: global trafficTCP traffic: 192.168.2.5:49704 -> 194.59.30.164:1790
            Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
            Source: Joe Sandbox ViewASN Name: COMBAHTONcombahtonGmbHDE COMBAHTONcombahtonGmbHDE
            Source: unknownDNS query: name: ip-api.com
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Connection: close
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
            Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Connection: close
            Source: global trafficDNS traffic detected: DNS query: evilginx.misecure.com
            Source: global trafficDNS traffic detected: DNS query: ip-api.com
            Source: java.exe, 00000002.00000002.2109601926.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009BF8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009DF8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
            Source: java.exe, 00000002.00000002.2110910175.0000000014CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000003.2766640386.0000000015252000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000003.2766485727.0000000015249000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000003.2160151754.0000000015249000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3321481564.0000000015259000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000003.2269020741.00000000153B2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3321773874.00000000153B9000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3322797011.0000000015387000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351042944.0000000015380000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000019.00000003.2431464865.0000000015286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crtk
            Source: java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009BF8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009DF8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
            Source: java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D68000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
            Source: java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt1HHf
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009BF8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009DF8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
            Source: java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crtk
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009C01000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009E01000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009E01000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000019.00000002.3317184580.0000000009E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
            Source: java.exe, 00000002.00000002.2110910175.0000000014CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000003.2766640386.0000000015252000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000003.2766485727.0000000015249000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000003.2160151754.0000000015249000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3321481564.0000000015259000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000003.2269020741.00000000153B2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3321773874.00000000153B9000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3322797011.0000000015387000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351042944.0000000015380000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000019.00000003.2431464865.0000000015286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crlK
            Source: java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009C01000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009E01000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009E01000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000019.00000002.3317184580.0000000009E01000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
            Source: java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
            Source: java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009C08000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009E08000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009E08000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
            Source: java.exe, 00000002.00000002.2110910175.0000000014CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000003.2766640386.0000000015252000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000003.2766485727.0000000015249000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000003.2160151754.0000000015249000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3321481564.0000000015259000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000003.2269020741.00000000153B2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3321773874.00000000153B9000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3322797011.0000000015387000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351042944.0000000015380000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000019.00000003.2431464865.0000000015286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
            Source: java.exe, 00000002.00000002.2109601926.0000000009A10000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.oracle.com/
            Source: java.exe, 00000002.00000002.2107516507.0000000004413000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2107516507.00000000045AF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&
            Source: javaw.exe, 00000019.00000002.3314287633.0000000004BB0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
            Source: java.exe, 00000006.00000002.3314261810.000000000465B000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5C
            Source: java.exe, 00000006.00000002.3314261810.0000000004ACB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5s
            Source: java.exe, 00000002.00000002.2110910175.0000000014CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009C21000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2111163249.00000000151D6000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009D0D000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3321212268.0000000015230000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3320453024.0000000014F3D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3314011792.0000000004C47000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351484825.00000000153C7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3314075872.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3322952102.00000000153CF000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351042944.0000000015397000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351209978.00000000153C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://null.oracle.com/
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009BF8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009DF8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009DF8000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
            Source: java.exe, 00000002.00000002.2110910175.0000000014CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000003.2766640386.0000000015252000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000003.2766485727.0000000015249000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000003.2160151754.0000000015249000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3321481564.0000000015259000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000003.2269020741.00000000153B2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3321773874.00000000153B9000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3322797011.0000000015387000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351042944.0000000015380000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000019.00000003.2431464865.0000000015286000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
            Source: java.exe, 00000002.00000002.2109601926.0000000009B65000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009AD3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com;
            Source: java.exe, 00000002.00000002.2107516507.0000000004928000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.comS
            Source: classification engineClassification label: mal96.troj.expl.evad.winJAR@39/11@4/2
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeFile created: C:\Users\user\1790lock.fileJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeMutant created: NULL
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4724:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5656:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2820:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4796:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1352:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5680:120:WilError_03
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5844:120:WilError_03
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar"" >> C:\cmdlinestart.log 2>&1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
            Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar" Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:listJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:listJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:listJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:listJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: apphelp.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: rasadhlp.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: fwpuclnt.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: taskschd.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\schtasks.exeSection loaded: xmllite.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: framedynos.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: sspicli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: wbemcomn.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: msxml6.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: urlmon.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: iertutil.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: srvcli.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: netutils.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: uxtheme.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: vcruntime140.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: amsi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: userenv.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wsock32.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: winmm.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: version.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: kernel.appcore.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: windows.storage.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wldp.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: profapi.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: mswsock.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: iphlpapi.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dhcpcsvc6.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dhcpcsvc.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dnsapi.dllJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wsock32.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: winmm.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wsock32.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: winmm.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dnsapi.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wsock32.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: winmm.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: version.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: kernel.appcore.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: windows.storage.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: wldp.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: profapi.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: mswsock.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: iphlpapi.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dhcpcsvc6.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dhcpcsvc.dll
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeSection loaded: dnsapi.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior

            Data Obfuscation

            barindex
            Yara detected Caesium Obfuscator
            Source: Yara matchFile source: 00000018.00000002.3316810938.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000003.2460344060.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.3316526296.0000000009F98000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000003.2107036191.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.3317184580.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3316729535.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000003.2216760867.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000003.2082253258.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000002.00000002.2109601926.0000000009950000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000001A.00000002.3316526296.000000000A029000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3317092176.0000000009C28000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.3317184580.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 5356, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 6464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 3376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 2788, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 2292, type: MEMORYSTR
            Source: Java tracingExecutes: java.lang.ProcessBuilder(java.lang.String[]) on "c:\program files (x86)\java\jre-1.8\bin\java.exe" -jar "c:\users\user\appdata\roaming\shipping bill no6239999dt09122024.pdf.jar"
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_0228C6CD push ecx; retn 0022h2_2_0228C782
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_0228C413 push es; iretd 2_2_0228C41A
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_0228FC91 push cs; retf 2_2_0228FCB1
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021ED8F7 push 00000000h; mov dword ptr [esp], esp2_2_021ED921
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021EA21B push ecx; ret 2_2_021EA225
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021EA20A push ecx; ret 2_2_021EA21A
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021EBB67 push 00000000h; mov dword ptr [esp], esp2_2_021EBB8D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021EB3B7 push 00000000h; mov dword ptr [esp], esp2_2_021EB3DD
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021ED8D1 push 00000000h; mov dword ptr [esp], esp2_2_021ED921
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021EB947 push 00000000h; mov dword ptr [esp], esp2_2_021EB96D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021EC477 push 00000000h; mov dword ptr [esp], esp2_2_021EC49D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_025FA21B push ecx; ret 6_2_025FA225
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_025FA20A push ecx; ret 6_2_025FA21A
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_025FBB67 push 00000000h; mov dword ptr [esp], esp6_2_025FBB8D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_025FB3B7 push 00000000h; mov dword ptr [esp], esp6_2_025FB3DD
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_025FB947 push 00000000h; mov dword ptr [esp], esp6_2_025FB96D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_025FC477 push 00000000h; mov dword ptr [esp], esp6_2_025FC49D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_02698A11 push cs; retf 6_2_02698A31
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_026A10A3 push edi; retf 6_2_026A10A6
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 6_2_0269ED98 push cs; ret 6_2_0269EDE1
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 22_2_0273A21B push ecx; ret 22_2_0273A225
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 22_2_0273A20A push ecx; ret 22_2_0273A21A
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 22_2_0273BB67 push 00000000h; mov dword ptr [esp], esp22_2_0273BB8D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 22_2_0273B3B7 push 00000000h; mov dword ptr [esp], esp22_2_0273B3DD
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 22_2_0273B947 push 00000000h; mov dword ptr [esp], esp22_2_0273B96D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 22_2_0273C477 push 00000000h; mov dword ptr [esp], esp22_2_0273C49D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 24_2_0269A20A push ecx; ret 24_2_0269A21A
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 24_2_0269A21B push ecx; ret 24_2_0269A225
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 24_2_0269BB67 push 00000000h; mov dword ptr [esp], esp24_2_0269BB8D
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 24_2_0269B3B7 push 00000000h; mov dword ptr [esp], esp24_2_0269B3DD
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeCode function: 24_2_0269B947 push 00000000h; mov dword ptr [esp], esp24_2_0269B96D

            Boot Survival

            barindex
            Creates autostart registry keys to launch java
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Shipping Bill No6239999Dt09122024.PDF "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"Jump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedules
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jarJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jarJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Shipping Bill No6239999Dt09122024.PDF.jarJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Shipping Bill No6239999Dt09122024.PDFJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Shipping Bill No6239999Dt09122024.PDFJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Shipping Bill No6239999Dt09122024.PDFJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run Shipping Bill No6239999Dt09122024.PDFJump to behavior

            Hooking and other Techniques for Hiding and Protection

            barindex
            Uses an obfuscated file name to hide its real file extension (double extension)
            Source: Possible double extension: pdf.jarStatic PE information: Shipping Bill No6239999Dt09122024.PDF.jar
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOXJump to behavior

            Malware Analysis System Evasion

            barindex
            Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT VolumeSerialNumber FROM win32_logicaldisk
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_0228DEE9 sldt word ptr [eax]2_2_0228DEE9
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : Win32_BIOS
            Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeFile opened: C:\Users\user\AppData\Roaming\
            Source: javaw.exe, 00000018.00000003.2299035807.0000000014C6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
            Source: javaw.exe, 00000018.00000003.2299035807.0000000014C6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
            Source: java.exe, 00000002.00000002.2106667554.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3312593529.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3312002208.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3312082327.0000000000C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Ljava/lang/VirtualMachineError;
            Source: javaw.exe, 00000018.00000003.2299035807.0000000014C6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
            Source: java.exe, 00000002.00000002.2106667554.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3312593529.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3312002208.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3312082327.0000000000C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cjava/lang/VirtualMachineError
            Source: java.exe, 00000002.00000003.2083336278.0000000014863000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000003.2107588526.0000000014B57000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000003.2217315719.0000000014CF6000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2299035807.0000000014C6B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
            Source: java.exe, 00000002.00000002.2106667554.00000000008AB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3312593529.0000000000D5B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3312002208.0000000000CC8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3312082327.0000000000C28000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information queried: ProcessInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeMemory protected: page read and write | page guardJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar" Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"Jump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"Jump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:listJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:listJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:listJump to behavior
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:listJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 2_2_021E03C0 cpuid 2_2_021E03C0
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\5356 VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\jartracer.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Users\user\1790lock.file VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6464 VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Users\user\1790lock.file VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\3376 VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Users\user\1790lock.file VolumeInformationJump to behavior
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\2788 VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Users\user\1790lock.file VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\2292 VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Users\user\1790lock.file VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\1524 VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
            Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exeQueries volume information: C:\Users\user\1790lock.file VolumeInformation
            Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : SELECT displayName FROM antivirusproduct

            Stealing of Sensitive Information

            barindex
            Yara detected STRRAT
            Source: Yara matchFile source: 0000001A.00000002.3316526296.0000000009F68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.3316810938.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3316729535.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3317092176.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.3317184580.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 5356, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 6464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 3376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 2788, type: MEMORYSTR

            Remote Access Functionality

            barindex
            Yara detected STRRAT
            Source: Yara matchFile source: 0000001A.00000002.3316526296.0000000009F68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.3316810938.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000016.00000002.3316729535.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000006.00000002.3317092176.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000019.00000002.3317184580.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 5356, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 6464, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 3376, type: MEMORYSTR
            Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 2788, type: MEMORYSTR

            Mitre Att&ck Matrix

            ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
            Gather Victim Identity InformationAcquire InfrastructureValid Accounts12
            Windows Management Instrumentation            		1
            Scheduled Task/Job            		11
            Process Injection            		11
            Masquerading            		OS Credential Dumping111
            Security Software Discovery            		Remote ServicesData from Local System1
            Non-Standard Port            		Exfiltration Over Other Network MediumAbuse Accessibility Features
            CredentialsDomainsDefault Accounts1
            Scheduled Task/Job            		121
            Registry Run Keys / Startup Folder            		1
            Scheduled Task/Job            		1
            Virtualization/Sandbox Evasion            		LSASS Memory1
            Virtualization/Sandbox Evasion            		Remote Desktop ProtocolData from Removable Media1
            Ingress Tool Transfer            		Exfiltration Over BluetoothNetwork Denial of Service
            Email AddressesDNS ServerDomain Accounts1
            Exploitation for Client Execution            		1
            Services File Permissions Weakness            		121
            Registry Run Keys / Startup Folder            		1
            Disable or Modify Tools            		Security Account Manager1
            Process Discovery            		SMB/Windows Admin SharesData from Network Shared Drive2
            Non-Application Layer Protocol            		Automated ExfiltrationData Encrypted for Impact
            Employee NamesVirtual Private ServerLocal AccountsCron1
            DLL Side-Loading            		1
            Services File Permissions Weakness            		11
            Process Injection            		NTDS1
            System Network Configuration Discovery            		Distributed Component Object ModelInput Capture12
            Application Layer Protocol            		Traffic DuplicationData Destruction
            Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon Script1
            DLL Side-Loading            		11
            Obfuscated Files or Information            		LSA Secrets1
            File and Directory Discovery            		SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
            Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
            Services File Permissions Weakness            		Cached Domain Credentials31
            System Information Discovery            		VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
            DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
            DLL Side-Loading            		DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1576666 Sample: Shipping Bill No6239999Dt09... Startdate: 17/12/2024 Architecture: WINDOWS Score: 96 69 evilginx.misecure.com 2->69 71 ip-api.com 2->71 73 bg.microsoft.map.fastly.net 2->73 79 Suricata IDS alerts for network traffic 2->79 81 Found malware configuration 2->81 83 Yara detected Caesium Obfuscator 2->83 85 4 other signatures 2->85 10 cmd.exe 2 2->10         started        13 javaw.exe 2 2->13         started        15 javaw.exe 2->15         started        17 2 other processes 2->17 signatures3 process4 signatures5 89 Uses schtasks.exe or at.exe to add and modify task schedules 10->89 19 java.exe 2 13 10->19         started        23 conhost.exe 10->23         started        process6 file7 63 Shipping Bill No62...9Dt09122024.PDF.jar, Zip 19->63 dropped 65 Shipping Bill No62...9Dt09122024.PDF.jar, Zip 19->65 dropped 67 Shipping Bill No62...9Dt09122024.PDF.jar, Zip 19->67 dropped 87 Creates autostart registry keys to launch java 19->87 25 java.exe 4 19->25         started        28 cmd.exe 1 19->28         started        30 icacls.exe 1 19->30         started        signatures8 process9 dnsIp10 75 evilginx.misecure.com 194.59.30.164, 1790, 49704 COMBAHTONcombahtonGmbHDE Germany 25->75 77 ip-api.com 208.95.112.1, 49705, 80 TUT-ASUS United States 25->77 32 cmd.exe 1 25->32         started        34 cmd.exe 1 25->34         started        36 cmd.exe 1 25->36         started        44 2 other processes 25->44 38 conhost.exe 28->38         started        40 schtasks.exe 1 28->40         started        42 conhost.exe 30->42         started        process11 process12 46 WMIC.exe 1 32->46         started        49 conhost.exe 32->49         started        51 WMIC.exe 1 34->51         started        53 conhost.exe 34->53         started        55 WMIC.exe 1 36->55         started        57 conhost.exe 36->57         started        59 WMIC.exe 1 44->59         started        61 conhost.exe 44->61         started        signatures13 91 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 46->91

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.


            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            SourceDetectionScannerLabelLink
            Shipping Bill No6239999Dt09122024.PDF.jar8%ReversingLabsByteCode-JAVA.Spyware.Generic

            Dropped Files

            No Antivirus matches

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://null.oracle.com/0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            bg.microsoft.map.fastly.net
            		199.232.214.172
            		truefalse
              		high
              ip-api.com
              		208.95.112.1
              		truefalse
                		high
                evilginx.misecure.com
                		194.59.30.164
                		truetrue
                  		unknown

                  Contacted URLs

                  NameMaliciousAntivirus DetectionReputation
                  http://ip-api.com/json/false
                    		high

                    URLs from Memory and Binaries

                    NameSourceMaliciousAntivirus DetectionReputation
                    http://java.oracle.com/java.exe, 00000002.00000002.2109601926.0000000009A10000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      http://null.oracle.com/java.exe, 00000002.00000002.2110910175.0000000014CD0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2109601926.0000000009C21000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2111163249.00000000151D6000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009D0D000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3321212268.0000000015230000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3320453024.0000000014F3D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3314011792.0000000004C47000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351484825.00000000153C7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3314075872.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3322952102.00000000153CF000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351042944.0000000015397000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000003.2351209978.00000000153C0000.00000004.00000020.00020000.00000000.sdmpfalse
                      • Avira URL Cloud: safe
                      		unknown
                      http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5javaw.exe, 00000019.00000002.3314287633.0000000004BB0000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5Cjava.exe, 00000006.00000002.3314261810.000000000465B000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5sjava.exe, 00000006.00000002.3314261810.0000000004ACB000.00000004.00000800.00020000.00000000.sdmpfalse
                            		high
                            http://bugreport.sun.com/bugreport/java.exe, 00000002.00000002.2109601926.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000006.00000002.3317092176.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000016.00000002.3316729535.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3316810938.0000000009D68000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://jbfrost.live/strigoi/server/?hwid=1&java.exe, 00000002.00000002.2107516507.0000000004413000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2107516507.00000000045AF000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high

                                World Map of Contacted IPs

                                • No. of IPs < 25%
                                • 25% < No. of IPs < 50%
                                • 50% < No. of IPs < 75%
                                • 75% < No. of IPs

                                Public IPs

                                IPDomainCountryFlagASNASN NameMalicious
                                194.59.30.164
                                		evilginx.misecure.comGermany
                                		30823COMBAHTONcombahtonGmbHDEtrue
                                208.95.112.1
                                		ip-api.comUnited States
                                		53334TUT-ASUSfalse

                                General Information

                                Joe Sandbox version:41.0.0 Charoite
                                Analysis ID:1576666
                                Start date and time:2024-12-17 11:42:11 +01:00
                                Joe Sandbox product:CloudBasic
                                Overall analysis duration:0h 7m 33s
                                Hypervisor based Inspection enabled:false
                                Report type:full
                                Cookbook file name:defaultwindowsfilecookbook.jbs
                                Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                Number of analysed new started processes analysed:28
                                Number of new started drivers analysed:0
                                Number of existing processes analysed:0
                                Number of existing drivers analysed:0
                                Number of injected processes analysed:0
                                Technologies:
                                • HCA enabled
                                • EGA enabled
                                • GSI enabled (Java)
                                • AMSI enabled
                                Analysis Mode:default
                                Analysis stop reason:Timeout
                                Sample name:Shipping Bill No6239999Dt09122024.PDF.jar
                                Detection:MAL
                                Classification:mal96.troj.expl.evad.winJAR@39/11@4/2
                                EGA Information:
                                • Successful, ratio: 16.7%
                                HCA Information:
                                • Successful, ratio: 90%
                                • Number of executed functions: 68
                                • Number of non-executed functions: 2
                                Cookbook Comments:
                                • Found application associated with file extension: .jar

                                Warnings

                                • Exclude process from analysis (whitelisted): WMIADAP.exe, SIHClient.exe
                                • Excluded IPs from analysis (whitelisted): 20.109.210.53, 13.95.31.18, 13.107.246.63
                                • Excluded domains from analysis (whitelisted): fe3.delivery.mp.microsoft.com, ocsp.digicert.com, otelrules.azureedge.net, slscr.update.microsoft.com, ctldl.windowsupdate.com.delivery.microsoft.com, glb.cws.prod.dcat.dsp.trafficmanager.net, sls.update.microsoft.com, ctldl.windowsupdate.com, wu-b-net.trafficmanager.net, glb.sls.prod.dcat.dsp.trafficmanager.net, fe3cr.delivery.mp.microsoft.com
                                • Execution Graph export aborted for target java.exe, PID 6464 because it is empty
                                • Execution Graph export aborted for target javaw.exe, PID 1524 because it is empty
                                • Execution Graph export aborted for target javaw.exe, PID 2292 because it is empty
                                • Execution Graph export aborted for target javaw.exe, PID 2788 because it is empty
                                • Execution Graph export aborted for target javaw.exe, PID 3376 because it is empty
                                • Not all processes where analyzed, report is missing behavior information
                                • Report size exceeded maximum capacity and may have missing behavior information.
                                • Report size getting too big, too many NtSetInformationFile calls found.
                                • VT rate limit hit for: Shipping Bill No6239999Dt09122024.PDF.jar

                                Simulations

                                Behavior and APIs

                                TimeTypeDescription
                                05:43:13API Interceptor4x Sleep call for process: WMIC.exe modified
                                11:43:09Task SchedulerRun new task: Skype path: C:\Users\user\AppData\Roaming\Shipping s>Bill No6239999Dt09122024.PDF.jar
                                11:43:11AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run Shipping Bill No6239999Dt09122024.PDF "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                11:43:19AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run Shipping Bill No6239999Dt09122024.PDF "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                11:43:27AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run Shipping Bill No6239999Dt09122024.PDF "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                11:43:35AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jar

                                Joe Sandbox View / Context

                                IPs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                208.95.112.1Creal.exeGet hashmaliciousBlackshadesBrowse
                                • ip-api.com/json/
                                factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • ip-api.com/line/?fields=hosting
                                Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exeGet hashmaliciousAgentTeslaBrowse
                                • ip-api.com/line/?fields=hosting
                                msedge.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                imagelogger.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                com surrogate.exeGet hashmaliciousXWormBrowse
                                • ip-api.com/line/?fields=hosting
                                jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                • ip-api.com/json/
                                file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                • ip-api.com/line/?fields=hosting
                                RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                • ip-api.com/line/?fields=hosting

                                Domains

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                ip-api.comCreal.exeGet hashmaliciousBlackshadesBrowse
                                • 208.95.112.1
                                factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 208.95.112.1
                                Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                msedge.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                imagelogger.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                com surrogate.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                • 208.95.112.1
                                file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                • 208.95.112.1
                                RdLfpZY5A9.exeGet hashmalicious77Rootkit, XWormBrowse
                                • 208.95.112.1
                                bg.microsoft.map.fastly.netBwQ1ZjHbt3.batGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                sEOELQpFOB.lnkGet hashmaliciousRedLineBrowse
                                • 199.232.210.172
                                ref095vq842r70_classement_atout_france.pdf.lnk.d.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                • 199.232.214.172
                                payload_1.htaGet hashmaliciousRedLineBrowse
                                • 199.232.210.172
                                ei0woJS3Dy.lnkGet hashmaliciousUnknownBrowse
                                • 199.232.214.172
                                BKT2HSG6sZ.exeGet hashmaliciousRedLineBrowse
                                • 199.232.214.172
                                69633f.msiGet hashmaliciousVidarBrowse
                                • 199.232.214.172
                                fsg5PWtTm2.lnkGet hashmaliciousRedLine, SectopRATBrowse
                                • 199.232.210.172
                                SkaKk8Z1J0.exeGet hashmaliciousLummaCBrowse
                                • 199.232.214.172
                                #U041e#U043f#U043b#U0430#U0442#U0430.xlsGet hashmaliciousUnknownBrowse
                                • 199.232.210.172

                                ASNs

                                MatchAssociated Sample Name / URLSHA 256DetectionThreat NameLinkContext
                                COMBAHTONcombahtonGmbHDESupport.ClientSetup.exeGet hashmaliciousScreenConnect ToolBrowse
                                • 194.59.31.27
                                Counseling_Services_Overview.docmGet hashmaliciousUnknownBrowse
                                • 45.147.231.195
                                Nowe zam#U00f3wienie - 0072291855.pdf (243KB).com.exeGet hashmaliciousQuasarBrowse
                                • 194.59.31.75
                                https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                • 194.59.31.199
                                https://cloudserver-filesredir667900989385.s3.eu-central-1.amazonaws.com/6354799604_PDF.htmlGet hashmaliciousScreenConnect ToolBrowse
                                • 194.59.31.199
                                firestub.batGet hashmaliciousUnknownBrowse
                                • 194.59.30.10
                                Cotizaci#U00f3n 99026475526_pdf.com.exeGet hashmaliciousQuasarBrowse
                                • 194.59.31.75
                                file.exeGet hashmaliciousScreenConnect ToolBrowse
                                • 194.59.30.222
                                DEMASI-24-12B DOC. SCAN.exeGet hashmaliciousGuLoader, RemcosBrowse
                                • 194.59.31.40
                                Orden de Noviembre.com.exeGet hashmaliciousAsyncRATBrowse
                                • 194.59.31.47
                                TUT-ASUSCreal.exeGet hashmaliciousBlackshadesBrowse
                                • 208.95.112.1
                                factura 000601.exeGet hashmaliciousAgentTesla, PureLog StealerBrowse
                                • 208.95.112.1
                                Orden de compra_#000000090764534236475890765432567890765768978687569867970875766868.exeGet hashmaliciousAgentTeslaBrowse
                                • 208.95.112.1
                                msedge.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                imagelogger.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                NJRAT DANGEROUS.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                com surrogate.exeGet hashmaliciousXWormBrowse
                                • 208.95.112.1
                                jerniuiopu.exeGet hashmaliciousBlackshadesBrowse
                                • 208.95.112.1
                                https://fsharetv.ioGet hashmaliciousUnknownBrowse
                                • 162.252.214.4
                                file.exeGet hashmaliciousScreenConnect Tool, Amadey, LummaC Stealer, Vidar, XWorm, XmrigBrowse
                                • 208.95.112.1

                                JA3 Fingerprints

                                No context

                                Dropped Files

                                No context

                                Created / dropped Files

                                C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\Shipping Bill No6239999Dt09122024.PDF.jar

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:modified
                                Size (bytes):201515
                                Entropy (8bit):7.8909723601756
                                Encrypted:false
                                SSDEEP:3072:KROA9tsCGC9tChoYvQlzwVa37ZGfteVTzg4U5N0iVfG6lfAANinzk4U86vLiy:I9aLC9EjYrrZGfteVTyjn12ANmo4Jy
                                MD5:FB02745DE7EC057A90B207602E732BE6
                                SHA1:C1ECC13F6F7B8043918CC17A4FB88FB29C6BA9D0
                                SHA-256:84481AED848A500EC03FB0E95443A125EAC073999AAF8391E221F72F75A33CB0
                                SHA-512:5E3C21BBA3CC652BACB2B32187D62682F441F2E484386C850372DFB39CF2ADCE3B092DD4AA418BC7AA913F0F3A9527E68CABBE9A93158EFD5AE3B997D05FAA2E
                                Malicious:true
                                Preview:PK.........n.Y................kingDavid/k.class/]PQO.P.=w.u+.nCEQ.Tt.q[...2.$...71..r..,..t.b.1....>.......7.kG..4....{.....#..V..&7;V.%.........1.wy.gl..d..f..1..Ur...Y%..8Ch.Bw.r.Z.iY#oP."|y3W%.Q..t5....\.7...S4=....N......iY.H^.FQ#..R.... .....C/..z..b.2..C.m."....4.CR......&hD..n.d.IU....0).<..8.)....e.......#A.7}2......."n0.{...J*..|......nbN.../p.....'..5......D.M!.m.e9...'..T_G.....(.........cp.(..1..H..j...R.$.......N...;.@...A..........6.R..u..e..i.;E.)1..v.o...3.a....I=F5.......<!.q..U.I..:.s....T.J.3.....O^{...!.I},....3.....@..0..(....3.]z?.....C.'zu..Z.Yr....gh.&dx@~....e....BG.`...PK.....bH...;...PK.........n.Y............"...kingDavid/k.class/caesium_27.classc..PK..............PK.........n.Y............"...kingDavid/k.class/caesium_26.classc..PK..............PK.........n.Y............"...kingDavid/k.class/caesium_25.classc..PK..............PK.........n.Y................kingDavid/b.class/.{wtUE.......u........^.."(.6..(...B........`W...+..P.

                                C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):52
                                Entropy (8bit):4.858623612163837
                                Encrypted:false
                                SSDEEP:3:oFj4I5vpm4USREy:oJ5bREy
                                MD5:99EC41DF05EE1391BFA747AEDB4429A2
                                SHA1:7D575737CA7FA8BFA94B69D8DCBD8C538AF77594
                                SHA-256:AF27975EE5107EE5F89E0CDD7581D9B7F64AE4FCDD561BF76F1750E3F4F81480
                                SHA-512:6B392EE393FB1898D90B60420AAF2C1CCF13AC2FB45A9655EF662C77F418171C087D5CBF392DCCDD80C9717B4DCA2ECEF2D4D68196CCD0609AE74A9F6E0EF0A3
                                Malicious:false
                                Preview:C:\Program Files (x86)\Java\jre-1.8..1734432224285..

                                C:\Users\user\AppData\Local\Temp\hsperfdata_user\1524

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.296031434654135
                                Encrypted:false
                                SSDEEP:96:mwmrs58GP2AzJV6f9WwzwMgkSJp43HG1bowx4G:mwD8GeAzJV6fYMeKHGd
                                MD5:27863D0637D7D613DC55EDE49A5D8BD8
                                SHA1:9DFEF9885F02947D9003C5CF7FAF446D3D40378C
                                SHA-256:F717D9FAB871DC3199A62501CB468BA5EA94A2140838734770CD41BF4DA28C24
                                SHA-512:1F4D582088BB5F4CE2681D7A3911FE55E8373FE2C62F587B4B6C04007C68DD0F656AC4F371D0B385004C5BE7735753573523C6FEE78BE7CDD076105AF64C52B7
                                Malicious:false
                                Preview:.........9........!..... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

                                C:\Users\user\AppData\Local\Temp\hsperfdata_user\2292

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.285138065451023
                                Encrypted:false
                                SSDEEP:96:CwqryO8Gm8zoLeV6ZSuZw6NPgEbpMSJsXHG1bowEmm:Cwm8Gm8zoLeV6fNIEpwHGd
                                MD5:FBB8718775C3C270E411DD622794D29F
                                SHA1:935EF7688FF9A463B98A2E3EF40EDBA9EF913FB7
                                SHA-256:B3B94764143FB84E448355F8C9FF5DAC9BF8E0B4D4099C0BBA1395BF6698D85A
                                SHA-512:14108DD54C156E6B8BA21FC8408968802C766DE3074417A4332A63C88752C8BB6EC56BF261D0EF91D7853A6FDC4283BBB26295898350FF3FE141719ADAFB92F0
                                Malicious:false
                                Preview:........09.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

                                C:\Users\user\AppData\Local\Temp\hsperfdata_user\2788

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.285605315184838
                                Encrypted:false
                                SSDEEP:96:2wqrUa/8Gmg2/pV6PllUBwdgEFptSJsXHG1bowEmu:2wK8Gmg2/pV6d2E0wHGd
                                MD5:2E012C4F9472F5A5FB657D94DEC1E491
                                SHA1:6139B89DCCD2737E89B54049EF9ABC25B78CC9C1
                                SHA-256:E4A326379551E96EF126E0CD258E306F8EE68CA2F0A09C2565412A1F6565A7FC
                                SHA-512:8D8C23F14D9DE322F3FB5CEC543D65BCF786BF1BDE5FEF9128C29C76CCF82A910C1A6E15A655DED0164687A85AF3507861915944AC0A78D62E5BB7E9E86F1363
                                Malicious:false
                                Preview:........09............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

                                C:\Users\user\AppData\Local\Temp\hsperfdata_user\3376

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.2850844197577593
                                Encrypted:false
                                SSDEEP:96:9wqrMy38GvV/KgV6lUmwjTQMmPSJsXHG1bowEm:9wG8GvVigV6ljMNwHGd
                                MD5:413D967C044816F46311D74F282858A6
                                SHA1:90E1FF65506889D27A9FEFBCEF7D4503D5742F33
                                SHA-256:6ECEC8620D825A1A3807B5C0A04AE1BF86D92DE3984491D288D279B218898428
                                SHA-512:5BA7256BD0E07D030F0BF27501546FE648985895C9121F0C1412C6F24CCD0C28C8325B646C984313876E9E11BFAFE3EDAED15CD02975A6A6BEC42F6143EAB778
                                Malicious:false
                                Preview:........09.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

                                C:\Users\user\AppData\Local\Temp\hsperfdata_user\5356

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.3057667753751219
                                Encrypted:false
                                SSDEEP:96:hwRriQmt8GIlqaQnhX96Ej8sXeF7cUOWZSJAPhHR1joXFPmVG:hwy8GepQhX96E4cUqmHRR
                                MD5:2C0EC70EE7FDEEFE8EBFFD58A425B09B
                                SHA1:7E8EF8251D31DF87B3A2214E993D5D429EDE438F
                                SHA-256:A3D7A813A7442C722EA10E0682DB6697FE3FF63553CDD49D5EC0D3162726D7AD
                                SHA-512:C2B3C7583123982F2181D340CB7912DFF4643BD8199EDBC5711780AA7F9332D0A74C1E02A9306232C5FBA443ED3B819BAEE0E993FD45245A1BE3A0012AE6D53C
                                Malicious:false
                                Preview:.........9............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..&.......@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..".......8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

                                C:\Users\user\AppData\Local\Temp\hsperfdata_user\6464

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                File Type:data
                                Category:dropped
                                Size (bytes):65536
                                Entropy (8bit):1.2865480886316283
                                Encrypted:false
                                SSDEEP:96:o9hrtpO8G+QxFgS6YlBNgJq65uSJbXHG1bowEm:o9w8G+QxFV6zJh1RHGd
                                MD5:88917F975A2136555866AF7A30B2B6F0
                                SHA1:A8FC779826B84A2BA0C90906F43C7D594A147ABF
                                SHA-256:806C5875977CFF0FE7CDEF271B7D523D4A4F2AE3F223715E7ADC5D080798E2F5
                                SHA-512:7A5D03560B956A62FC4D37717C24B940A54116DC8141E4DCACCBDCB9302C180087E4EB1C8D2B861DD1AEDBC9E18A408CA7D58413CCF9B28DD0AF90FEA0F60008
                                Malicious:false
                                Preview:........09.......3...... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

                                C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jar

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):201515
                                Entropy (8bit):7.8909723601756
                                Encrypted:false
                                SSDEEP:3072:KROA9tsCGC9tChoYvQlzwVa37ZGfteVTzg4U5N0iVfG6lfAANinzk4U86vLiy:I9aLC9EjYrrZGfteVTyjn12ANmo4Jy
                                MD5:FB02745DE7EC057A90B207602E732BE6
                                SHA1:C1ECC13F6F7B8043918CC17A4FB88FB29C6BA9D0
                                SHA-256:84481AED848A500EC03FB0E95443A125EAC073999AAF8391E221F72F75A33CB0
                                SHA-512:5E3C21BBA3CC652BACB2B32187D62682F441F2E484386C850372DFB39CF2ADCE3B092DD4AA418BC7AA913F0F3A9527E68CABBE9A93158EFD5AE3B997D05FAA2E
                                Malicious:true
                                Preview:PK.........n.Y................kingDavid/k.class/]PQO.P.=w.u+.nCEQ.Tt.q[...2.$...71..r..,..t.b.1....>.......7.kG..4....{.....#..V..&7;V.%.........1.wy.gl..d..f..1..Ur...Y%..8Ch.Bw.r.Z.iY#oP."|y3W%.Q..t5....\.7...S4=....N......iY.H^.FQ#..R.... .....C/..z..b.2..C.m."....4.CR......&hD..n.d.IU....0).<..8.)....e.......#A.7}2......."n0.{...J*..|......nbN.../p.....'..5......D.M!.m.e9...'..T_G.....(.........cp.(..1..H..j...R.$.......N...;.@...A..........6.R..u..e..i.;E.)1..v.o...3.a....I=F5.......<!.q..U.I..:.s....T.J.3.....O^{...!.I},....3.....@..0..(....3.]z?.....C.'zu..Z.Yr....gh.&dx@~....e....BG.`...PK.....bH...;...PK.........n.Y............"...kingDavid/k.class/caesium_27.classc..PK..............PK.........n.Y............"...kingDavid/k.class/caesium_26.classc..PK..............PK.........n.Y............"...kingDavid/k.class/caesium_25.classc..PK..............PK.........n.Y................kingDavid/b.class/.{wtUE.......u........^.."(.6..(...B........`W...+..P.

                                C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar

                                Download File
                                Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                File Type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Category:dropped
                                Size (bytes):201515
                                Entropy (8bit):7.8909723601756
                                Encrypted:false
                                SSDEEP:3072:KROA9tsCGC9tChoYvQlzwVa37ZGfteVTzg4U5N0iVfG6lfAANinzk4U86vLiy:I9aLC9EjYrrZGfteVTyjn12ANmo4Jy
                                MD5:FB02745DE7EC057A90B207602E732BE6
                                SHA1:C1ECC13F6F7B8043918CC17A4FB88FB29C6BA9D0
                                SHA-256:84481AED848A500EC03FB0E95443A125EAC073999AAF8391E221F72F75A33CB0
                                SHA-512:5E3C21BBA3CC652BACB2B32187D62682F441F2E484386C850372DFB39CF2ADCE3B092DD4AA418BC7AA913F0F3A9527E68CABBE9A93158EFD5AE3B997D05FAA2E
                                Malicious:true
                                Preview:PK.........n.Y................kingDavid/k.class/]PQO.P.=w.u+.nCEQ.Tt.q[...2.$...71..r..,..t.b.1....>.......7.kG..4....{.....#..V..&7;V.%.........1.wy.gl..d..f..1..Ur...Y%..8Ch.Bw.r.Z.iY#oP."|y3W%.Q..t5....\.7...S4=....N......iY.H^.FQ#..R.... .....C/..z..b.2..C.m."....4.CR......&hD..n.d.IU....0).<..8.)....e.......#A.7}2......."n0.{...J*..|......nbN.../p.....'..5......D.M!.m.e9...'..T_G.....(.........cp.(..1..H..j...R.$.......N...;.@...A..........6.R..u..e..i.;E.)1..v.o...3.a....I=F5.......<!.q..U.I..:.s....T.J.3.....O^{...!.I},....3.....@..0..(....3.]z?.....C.'zu..Z.Yr....gh.&dx@~....e....BG.`...PK.....bH...;...PK.........n.Y............"...kingDavid/k.class/caesium_27.classc..PK..............PK.........n.Y............"...kingDavid/k.class/caesium_26.classc..PK..............PK.........n.Y............"...kingDavid/k.class/caesium_25.classc..PK..............PK.........n.Y................kingDavid/b.class/.{wtUE.......u........^.."(.6..(...B........`W...+..P.

                                C:\cmdlinestart.log

                                Download File
                                Process:C:\Windows\SysWOW64\cmd.exe
                                File Type:ASCII text, with CRLF line terminators
                                Category:dropped
                                Size (bytes):40
                                Entropy (8bit):3.9898227820087544
                                Encrypted:false
                                SSDEEP:3:qUew/GWXqov:qTeGQj
                                MD5:682C76D1B5180FAF3EAB2321053CD21D
                                SHA1:B89BF15F5BA460A3FE13B72BC2F65A6C7CB88B8A
                                SHA-256:74944370F3B678E5B7A62BAF377EA956023FCF40B2133134B9F168D898299639
                                SHA-512:5EC21614E10855A53F3DE93D37F1639165756A84FBDC3DDF1CF697EADD0B02A5CECF7A9CFDFD2C342AEAF46ECECFDCF7B58FD28ACC1A5FD4595B8ED296119E39
                                Malicious:false
                                Preview:Inside main method..Inside constructor..

                                Static File Info

                                General

                                File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                                Entropy (8bit):7.8909723601756
                                TrID:
                                • Java Archive (13504/1) 62.80%
                                • ZIP compressed archive (8000/1) 37.20%
                                File name:Shipping Bill No6239999Dt09122024.PDF.jar
                                File size:201'515 bytes
                                MD5:fb02745de7ec057a90b207602e732be6
                                SHA1:c1ecc13f6f7b8043918cc17a4fb88fb29c6ba9d0
                                SHA256:84481aed848a500ec03fb0e95443a125eac073999aaf8391e221f72f75a33cb0
                                SHA512:5e3c21bba3cc652bacb2b32187d62682f441f2e484386c850372dfb39cf2adce3b092dd4aa418bc7aa913f0f3a9527e68cabbe9a93158efd5ae3b997d05faa2e
                                SSDEEP:3072:KROA9tsCGC9tChoYvQlzwVa37ZGfteVTzg4U5N0iVfG6lfAANinzk4U86vLiy:I9aLC9EjYrrZGfteVTyjn12ANmo4Jy
                                TLSH:8814BD14BB8090B2E3B760B2085D9319B874A4EFC66CA6870FF1EC1FDC16D651F61AB5
                                File Content Preview:PK.........n.Y................kingDavid/k.class/]PQO.P.=w.u+.nCEQ.Tt.q[....2.$...71..r..,..t.b.1....>........7.kG..4......{.....#..V..&7;V.%.............1.wy.gl..d...f..1..Ur...Y%..8Ch.Bw.r.Z.iY#oP."|y3W%.Q..t5....\.7...S4=....N......iY.H^..FQ#..R...... .

                                File Icon

                                Icon Hash:d08c8e8ea2868a54

                                Network Behavior

                                Suricata IDS Alerts

                                TimestampSIDSignatureSeveritySource IPSource PortDest IPDest PortProtocol
                                2024-12-17T11:43:20.848309+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:43:25.856866+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:43:30.871833+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:43:35.874229+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:43:40.943157+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:43:45.968656+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:43:50.961878+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:43:55.978065+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:00.996902+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:05.993443+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:11.008684+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:16.024361+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:21.026391+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:26.024696+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:31.024560+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:36.040246+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:41.055860+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:46.056015+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:51.072720+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:44:56.072129+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:45:01.087634+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:45:06.087037+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP
                                2024-12-17T11:45:12.279601+01002030358ET MALWARE STRRAT CnC Checkin1192.168.2.549704194.59.30.1641790TCP

                                Network Port Distribution

                                TCP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 17, 2024 11:43:13.511655092 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:13.631418943 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:13.631527901 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:19.509588957 CET4970580192.168.2.5208.95.112.1
                                Dec 17, 2024 11:43:19.629470110 CET8049705208.95.112.1192.168.2.5
                                Dec 17, 2024 11:43:19.629988909 CET4970580192.168.2.5208.95.112.1
                                Dec 17, 2024 11:43:19.630346060 CET4970580192.168.2.5208.95.112.1
                                Dec 17, 2024 11:43:19.750056028 CET8049705208.95.112.1192.168.2.5
                                Dec 17, 2024 11:43:20.726403952 CET8049705208.95.112.1192.168.2.5
                                Dec 17, 2024 11:43:20.726478100 CET8049705208.95.112.1192.168.2.5
                                Dec 17, 2024 11:43:20.726557016 CET4970580192.168.2.5208.95.112.1
                                Dec 17, 2024 11:43:20.728115082 CET4970580192.168.2.5208.95.112.1
                                Dec 17, 2024 11:43:20.728455067 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:20.848129988 CET8049705208.95.112.1192.168.2.5
                                Dec 17, 2024 11:43:20.848182917 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:20.848309040 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:20.968286991 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:25.737009048 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:25.856820107 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:25.856865883 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:25.976552963 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:30.751723051 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:30.871556044 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:30.871833086 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:30.992042065 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:35.752614975 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:35.872383118 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:35.874228954 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:35.994472980 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:40.823357105 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:40.943103075 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:40.943156958 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:41.062896013 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:45.848841906 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:45.968605042 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:45.968656063 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:46.088809967 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:50.841929913 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:50.961813927 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:50.961878061 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:51.081798077 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:55.857485056 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:55.977992058 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:43:55.978065014 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:43:56.098246098 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:00.873158932 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:00.993062973 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:00.996901989 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:01.116734028 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:05.873174906 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:05.993313074 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:05.993443012 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:06.113259077 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:10.888837099 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:11.008574963 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:11.008683920 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:11.128530979 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:15.904551983 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:16.024301052 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:16.024360895 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:16.144213915 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:20.905261993 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:21.025404930 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:21.026391029 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:21.146300077 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:25.904529095 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:26.024462938 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:26.024696112 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:26.144573927 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:30.904561043 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:31.024478912 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:31.024559975 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:31.144280910 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:35.920264959 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:36.040124893 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:36.040246010 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:36.159929037 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:40.935981035 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:41.055778980 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:41.055860043 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:41.175647020 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:45.935837030 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:46.055943966 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:46.056015015 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:46.175740004 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:50.951491117 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:51.072422028 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:51.072720051 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:51.195060015 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:55.952270031 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:56.072036982 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:44:56.072129011 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:44:56.191967010 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:45:00.967221975 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:45:01.087290049 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:45:01.087634087 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:45:01.207503080 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:45:05.967258930 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:45:06.086955070 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:45:06.087037086 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:45:06.206785917 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:45:12.158601999 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:45:12.278484106 CET179049704194.59.30.164192.168.2.5
                                Dec 17, 2024 11:45:12.279601097 CET497041790192.168.2.5194.59.30.164
                                Dec 17, 2024 11:45:12.399367094 CET179049704194.59.30.164192.168.2.5

                                UDP Packets

                                TimestampSource PortDest PortSource IPDest IP
                                Dec 17, 2024 11:43:11.168822050 CET6061053192.168.2.51.1.1.1
                                Dec 17, 2024 11:43:12.183348894 CET6061053192.168.2.51.1.1.1
                                Dec 17, 2024 11:43:13.198142052 CET6061053192.168.2.51.1.1.1
                                Dec 17, 2024 11:43:13.499675989 CET53606101.1.1.1192.168.2.5
                                Dec 17, 2024 11:43:13.499686003 CET53606101.1.1.1192.168.2.5
                                Dec 17, 2024 11:43:13.499700069 CET53606101.1.1.1192.168.2.5
                                Dec 17, 2024 11:43:19.249480009 CET6537653192.168.2.51.1.1.1
                                Dec 17, 2024 11:43:19.481232882 CET53653761.1.1.1192.168.2.5

                                DNS Queries

                                TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                Dec 17, 2024 11:43:11.168822050 CET192.168.2.51.1.1.10xa86bStandard query (0)evilginx.misecure.comA (IP address)IN (0x0001)false
                                Dec 17, 2024 11:43:12.183348894 CET192.168.2.51.1.1.10xa86bStandard query (0)evilginx.misecure.comA (IP address)IN (0x0001)false
                                Dec 17, 2024 11:43:13.198142052 CET192.168.2.51.1.1.10xa86bStandard query (0)evilginx.misecure.comA (IP address)IN (0x0001)false
                                Dec 17, 2024 11:43:19.249480009 CET192.168.2.51.1.1.10x9f9cStandard query (0)ip-api.comA (IP address)IN (0x0001)false

                                DNS Answers

                                TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                Dec 17, 2024 11:43:13.499675989 CET1.1.1.1192.168.2.50xa86bNo error (0)evilginx.misecure.com194.59.30.164A (IP address)IN (0x0001)false
                                Dec 17, 2024 11:43:13.499686003 CET1.1.1.1192.168.2.50xa86bNo error (0)evilginx.misecure.com194.59.30.164A (IP address)IN (0x0001)false
                                Dec 17, 2024 11:43:13.499700069 CET1.1.1.1192.168.2.50xa86bNo error (0)evilginx.misecure.com194.59.30.164A (IP address)IN (0x0001)false
                                Dec 17, 2024 11:43:19.481232882 CET1.1.1.1192.168.2.50x9f9cNo error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                Dec 17, 2024 11:43:25.666131973 CET1.1.1.1192.168.2.50x2c89No error (0)bg.microsoft.map.fastly.net199.232.214.172A (IP address)IN (0x0001)false
                                Dec 17, 2024 11:43:25.666131973 CET1.1.1.1192.168.2.50x2c89No error (0)bg.microsoft.map.fastly.net199.232.210.172A (IP address)IN (0x0001)false

                                HTTP Request Dependency Graph

                                • ip-api.com

                                HTTP Packets

                                Session IDSource IPSource PortDestination IPDestination PortPIDProcess
                                0192.168.2.549705208.95.112.1806464C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                TimestampBytes transferredDirectionData
                                Dec 17, 2024 11:43:19.630346060 CET188OUTGET /json/ HTTP/1.1
                                Host: ip-api.com
                                User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36
                                Connection: close
                                Dec 17, 2024 11:43:20.726403952 CET483INHTTP/1.1 200 OK
                                Date: Tue, 17 Dec 2024 10:43:20 GMT
                                Content-Type: application/json; charset=utf-8
                                Content-Length: 306
                                Access-Control-Allow-Origin: *
                                X-Ttl: 60
                                X-Rl: 44
                                Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 59 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 63 69 74 79 22 3a 22 4e 65 77 20 59 6f 72 6b 22 2c 22 7a 69 70 22 3a 22 31 30 31 32 33 22 2c 22 6c 61 74 22 3a 34 30 2e 37 31 32 38 2c 22 6c 6f 6e 22 3a 2d 37 34 2e 30 30 36 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4e 65 77 5f 59 6f 72 6b 22 2c 22 69 73 70 22 3a 22 4c 65 76 65 6c 20 33 22 2c 22 6f 72 67 22 3a 22 43 65 6e 74 75 72 79 4c 69 6e 6b 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 2c 20 4c 4c 43 22 2c 22 61 73 22 3a 22 41 53 33 33 35 36 20 4c 65 76 65 6c 20 33 20 50 61 72 65 6e 74 2c 20 4c 4c 43 22 2c 22 71 75 65 72 79 22 3a 22 38 2e 34 36 2e 31 32 33 2e 31 38 39 22 7d
                                Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NY","regionName":"New York","city":"New York","zip":"10123","lat":40.7128,"lon":-74.006,"timezone":"America/New_York","isp":"Level 3","org":"CenturyLink Communications, LLC","as":"AS3356 Level 3 Parent, LLC","query":"8.46.123.189"}


                                Statistics

                                CPU Usage

                                Click to jump to process

                                Memory Usage

                                Click to jump to process

                                High Level Behavior Distribution

                                Click to dive into process behavior distribution

                                Behavior

                                Click to jump to process

                                System Behavior

                                General

                                Target ID:0
                                Start time:05:43:06
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar"" >> C:\cmdlinestart.log 2>&1
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:1
                                Start time:05:43:06
                                Start date:17/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:2
                                Start time:05:43:06
                                Start date:17/12/2024
                                Path:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Shipping Bill No6239999Dt09122024.PDF.jar"
                                Imagebase:0xf0000
                                File size:257'664 bytes
                                MD5 hash:9DAA53BAB2ECB33DC0D9CA51552701FA
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000002.00000003.2082253258.00000000008BA000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000002.00000002.2109601926.0000000009950000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:moderate
                                Has exited:true

                                General

                                Target ID:3
                                Start time:05:43:07
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\icacls.exe
                                Wow64 process (32bit):true
                                Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                                Imagebase:0xa90000
                                File size:29'696 bytes
                                MD5 hash:2E49585E4E08565F52090B144062F97E
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:4
                                Start time:05:43:07
                                Start date:17/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:5
                                Start time:05:43:08
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:6
                                Start time:05:43:08
                                Start date:17/12/2024
                                Path:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                Imagebase:0xf0000
                                File size:257'664 bytes
                                MD5 hash:9DAA53BAB2ECB33DC0D9CA51552701FA
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000006.00000003.2107036191.0000000000D69000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000006.00000002.3317092176.0000000009B97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000006.00000002.3317092176.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000006.00000002.3317092176.0000000009C28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Reputation:moderate
                                Has exited:false

                                General

                                Target ID:7
                                Start time:05:43:08
                                Start date:17/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:8
                                Start time:05:43:08
                                Start date:17/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:false

                                General

                                Target ID:9
                                Start time:05:43:08
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\schtasks.exe
                                Wow64 process (32bit):true
                                Commandline:schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                Imagebase:0x3a0000
                                File size:187'904 bytes
                                MD5 hash:48C2FE20575769DE916F48EF0676A965
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Reputation:high
                                Has exited:true

                                General

                                Target ID:10
                                Start time:05:43:12
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:11
                                Start time:05:43:12
                                Start date:17/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:12
                                Start time:05:43:12
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                Wow64 process (32bit):true
                                Commandline:wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
                                Imagebase:0xa30000
                                File size:427'008 bytes
                                MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:13
                                Start time:05:43:14
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:14
                                Start time:05:43:14
                                Start date:17/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:15
                                Start time:05:43:14
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                Wow64 process (32bit):true
                                Commandline:wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
                                Imagebase:0xa30000
                                File size:427'008 bytes
                                MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:16
                                Start time:05:43:15
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:17
                                Start time:05:43:15
                                Start date:17/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:18
                                Start time:05:43:15
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                Wow64 process (32bit):true
                                Commandline:wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
                                Imagebase:0xa30000
                                File size:427'008 bytes
                                MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:19
                                Start time:05:43:16
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\cmd.exe
                                Wow64 process (32bit):true
                                Commandline:cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
                                Imagebase:0x790000
                                File size:236'544 bytes
                                MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:20
                                Start time:05:43:16
                                Start date:17/12/2024
                                Path:C:\Windows\System32\conhost.exe
                                Wow64 process (32bit):false
                                Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                Imagebase:0x7ff6d64d0000
                                File size:862'208 bytes
                                MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:21
                                Start time:05:43:16
                                Start date:17/12/2024
                                Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                Wow64 process (32bit):true
                                Commandline:wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
                                Imagebase:0xa30000
                                File size:427'008 bytes
                                MD5 hash:E2DE6500DE1148C7F6027AD50AC8B891
                                Has elevated privileges:true
                                Has administrator privileges:true
                                Programmed in:C, C++ or other language
                                Has exited:true

                                General

                                Target ID:22
                                Start time:05:43:19
                                Start date:17/12/2024
                                Path:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                Imagebase:0xf50000
                                File size:257'664 bytes
                                MD5 hash:6E0F4F812AE02FBCB744A929E74A04B8
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000016.00000002.3316729535.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000016.00000002.3316729535.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000016.00000003.2216760867.0000000000CD5000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000016.00000002.3316729535.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:false

                                General

                                Target ID:24
                                Start time:05:43:27
                                Start date:17/12/2024
                                Path:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                Imagebase:0xf50000
                                File size:257'664 bytes
                                MD5 hash:6E0F4F812AE02FBCB744A929E74A04B8
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000018.00000002.3316810938.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000018.00000002.3316810938.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000018.00000002.3316810938.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:false

                                General

                                Target ID:25
                                Start time:05:43:35
                                Start date:17/12/2024
                                Path:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Shipping Bill No6239999Dt09122024.PDF.jar"
                                Imagebase:0xf50000
                                File size:257'664 bytes
                                MD5 hash:6E0F4F812AE02FBCB744A929E74A04B8
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000019.00000002.3317184580.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 00000019.00000002.3317184580.0000000009D97000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000019.00000002.3317184580.0000000009D68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:false

                                General

                                Target ID:26
                                Start time:05:43:44
                                Start date:17/12/2024
                                Path:C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
                                Wow64 process (32bit):true
                                Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Shipping Bill No6239999Dt09122024.PDF.jar"
                                Imagebase:0xf50000
                                File size:257'664 bytes
                                MD5 hash:6E0F4F812AE02FBCB744A929E74A04B8
                                Has elevated privileges:false
                                Has administrator privileges:false
                                Programmed in:C, C++ or other language
                                Yara matches:
                                • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 0000001A.00000002.3316526296.0000000009F68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 0000001A.00000003.2460344060.0000000000E16000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 0000001A.00000002.3316526296.0000000009F98000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                • Rule: JoeSecurity_CaesiumObfuscator, Description: Yara detected Caesium Obfuscator, Source: 0000001A.00000002.3316526296.000000000A029000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                Has exited:false

                                Disassembly

                                Reset < >

                                  Execution Graph

                                  Execution Coverage:0.9%
                                  Dynamic/Decrypted Code Coverage:100%
                                  Signature Coverage:0%
                                  Total number of Nodes:3
                                  Total number of Limit Nodes:0
                                  execution_graph 8097 21e0672 8098 21e06a5 KiUserExceptionDispatcher 8097->8098 8100 21e06d7 8098->8100

                                  Executed Functions

                                  Function 021E0672 Relevance: 1.6, APIs: 1, Instructions: 57COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  APIs
                                  • KiUserExceptionDispatcher.NTDLL ref: 021E06D5
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e0000_java.jbxd
                                  Similarity
                                  • API ID: DispatcherExceptionUser
                                  • String ID:
                                  • API String ID: 6842923-0
                                  • Opcode ID: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction ID: 5f835fb7b0818384050eceab9726b892f0c436d58fff2ff6850c6bbad27f3694
                                  • Opcode Fuzzy Hash: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction Fuzzy Hash: 1A1149B6D4062A9FCF18CF48C8855ADB7B1FB9C314B9A4529DCA6B3341D3746960CB90
                                  Function 021ED8F7 Relevance: .2, Instructions: 223COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 14 21ed8f7-21ed93b 15 21ed9b0-21ed9c7 14->15 16 21ed941-21ed9aa call 21ed94b 14->16 18 21ede5f-21ede64 call 21ede6e 15->18 19 21ed9cd-21ed9ed 15->19 16->15 16->19 24 21ede69-21edec8 18->24 22 21eda0b-21eda25 19->22 23 21ed9f3-21eda08 19->23 26 21eda2b call 21eda35 22->26 27 21eda95-21edaa6 22->27 23->22 32 21eda30-21eda92 26->32 33 21edaac-21edabe 27->33 34 21edac2-21edacb 27->34 32->27 33->34 36 21edb3b-21edb65 34->36 37 21edad1-21edb38 call 21edadb 34->37 40 21edb71-21edb73 36->40 37->36 42 21edaf6-21edb34 40->42 43 21edb75 40->43 45 21edb77-21edb82 43->45 46 21edb83-21edb8d 43->46 47 21edb90-21edbc7 45->47 48 21edb84-21edbc7 45->48 46->47 49 21edbcd-21edbd4 47->49 50 21edbda-21edbeb 47->50 48->49 48->50 49->50 51 21edbee-21edc2a 49->51 50->51 53 21edc5b-21edc65 51->53 54 21edc30-21edc3b 51->54 57 21edc6b-21edc71 53->57 58 21edc72-21edc82 53->58 55 21edc56-21edc5a 54->55 56 21edc41-21edc46 54->56 55->53 59 21edc4c-21edc4f 56->59 60 21edc54 56->60 57->58 61 21edcfc-21edd05 58->61 62 21edc88-21edcf0 call 21edc92 call 21edcf5 58->62 59->55 60->55 63 21edd0b-21edd13 61->63 64 21ede28-21ede2f 61->64 62->61 69 21edd8d-21edda4 63->69 70 21edd19-21edd81 call 21edd23 call 21edd86 63->70 67 21ede4d-21ede5b 64->67 68 21ede35-21ede4a 64->68 67->18 68->67 73 21eddaa-21eddae 69->73 74 21ede25 69->74 70->69 73->74 77 21eddb4-21eddb8 73->77 74->64 77->74 82 21eddbe-21eddc6 call 21eddcb 77->82 82->74
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: eeb6ae3cd34893e4ea4b1551b6686db8d0e7789e68b5614269433edc2f3719f8
                                  • Instruction ID: 577c76a2935c52b93f2f322afb0d6dcc43dd1ee84d078ea00615adf1bb53cf5c
                                  • Opcode Fuzzy Hash: eeb6ae3cd34893e4ea4b1551b6686db8d0e7789e68b5614269433edc2f3719f8
                                  • Instruction Fuzzy Hash: 93A1DB75A44A01DFDF18CF24E894BAAFBB9FF49314F18819DD81A4B381D734A884CB90
                                  Function 021ED8D1 Relevance: .2, Instructions: 166COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 88 21ed8d1-21ed93b 90 21ed9b0-21ed9c7 88->90 91 21ed941-21ed9aa call 21ed94b 88->91 93 21ede5f-21edec8 call 21ede6e 90->93 94 21ed9cd-21ed9ed 90->94 91->90 91->94 97 21eda0b-21eda25 94->97 98 21ed9f3-21eda08 94->98 101 21eda2b-21eda92 call 21eda35 97->101 102 21eda95-21edaa6 97->102 98->97 101->102 108 21edaac-21edabe 102->108 109 21edac2-21edacb 102->109 108->109 111 21edb3b-21edb65 109->111 112 21edad1-21edb38 call 21edadb 109->112 115 21edb71-21edb73 111->115 112->111 117 21edaf6-21edb34 115->117 118 21edb75 115->118 120 21edb77-21edb82 118->120 121 21edb83-21edb8d 118->121 122 21edb90-21edbc7 120->122 123 21edb84-21edbc7 120->123 121->122 124 21edbcd-21edbd4 122->124 125 21edbda-21edbeb 122->125 123->124 123->125 124->125 126 21edbee-21edc2a 124->126 125->126 128 21edc5b-21edc65 126->128 129 21edc30-21edc3b 126->129 132 21edc6b-21edc71 128->132 133 21edc72-21edc82 128->133 130 21edc56-21edc5a 129->130 131 21edc41-21edc46 129->131 130->128 134 21edc4c-21edc4f 131->134 135 21edc54 131->135 132->133 136 21edcfc-21edd05 133->136 137 21edc88-21edcf0 call 21edc92 call 21edcf5 133->137 134->130 135->130 138 21edd0b-21edd13 136->138 139 21ede28-21ede2f 136->139 137->136 144 21edd8d-21edda4 138->144 145 21edd19-21edd81 call 21edd23 call 21edd86 138->145 142 21ede4d-21ede5b 139->142 143 21ede35-21ede4a 139->143 142->93 143->142 148 21eddaa-21eddae 144->148 149 21ede25 144->149 145->144 148->149 152 21eddb4-21eddb8 148->152 149->139 152->149 157 21eddbe-21eddc6 call 21eddcb 152->157 157->149
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e4402f4c1c5f2dd45f8578a9dbc545213e0c8ba10e55e5048faaf251a72602ae
                                  • Instruction ID: 33c103c73245fede51db848b2142dfaa5ccfb635eead07a989f64b113d73ae80
                                  • Opcode Fuzzy Hash: e4402f4c1c5f2dd45f8578a9dbc545213e0c8ba10e55e5048faaf251a72602ae
                                  • Instruction Fuzzy Hash: C471FE71644A41DFDB18CF24D994BAAFBB9FF49314F08819DD81A9B381C774A884CF91
                                  Function 022F7B67 Relevance: .1, Instructions: 84COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 163 22f7b67-22f7b81 164 22f7b8b-22f7b9d 163->164 165 22f7b87 163->165 166 22f7ba2-22f7baa 164->166 165->164 167 22f7bbf-22f7bc8 166->167 168 22f7bab-22f7bbc 166->168 170 22f7bd7-22f7bd9 167->170 168->167 170->166 171 22f7bdb-22f7c00 170->171 172 22f7c06-22f7c0d 171->172 173 22f7c13-22f7c1f 171->173 172->173 174 22f7c22-22f7c36 172->174 173->174 176 22f7cad-22f7cb8 174->176 177 22f7c3c-22f7c43 174->177 176->177 178 22f7c5e-22f7c74 177->178 179 22f7c49-22f7c5b 177->179 180 22f7c8f-22f7ca3 178->180 181 22f7c7a-22f7c7f 178->181 179->178 186 22f7cba-22f7cbe 180->186 187 22f7ca9-22f7cac 180->187 184 22f7c8d 181->184 185 22f7c85-22f7c88 181->185 184->180 185->180
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.0000000002285000.00000040.00000800.00020000.00000000.sdmp, Offset: 02285000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2285000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 95e43ab90e2c461f2ef4e88d3635a85ee1f5027ca04c813a2091dceb1be51ef0
                                  • Instruction ID: 28e19840458a35ed2d7d307106fcc9c8e73cee55c6ad7dc33f3afd875ae55e18
                                  • Opcode Fuzzy Hash: 95e43ab90e2c461f2ef4e88d3635a85ee1f5027ca04c813a2091dceb1be51ef0
                                  • Instruction Fuzzy Hash: 1B3131B0918746AFE755CF64C5487A9FBB0FF42308F0881BDC94897380E734A858CB81
                                  Function 021F4CCD Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 197 21f4ccd-21f4ce9 198 21f4cf4-21f4d38 197->198
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 6f6acc7258fe9bdf55fd54c8192370878f92f356b3ea4c73cb87c9bb086e6028
                                  • Instruction ID: 515f71cc6007b7eda36be4de2650d0d67c87f2405d47482c2b6a6d84f374f959
                                  • Opcode Fuzzy Hash: 6f6acc7258fe9bdf55fd54c8192370878f92f356b3ea4c73cb87c9bb086e6028
                                  • Instruction Fuzzy Hash: D4F0BCB5900A06EBEB15CF60C4047EAF7B4BB88704F05420AD42C63710C378B829CBD0
                                  Function 021F4B78 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 199 21f4b78-21f4b93 200 21f4b9e-21f4be2 199->200
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 28d96e2673f9a49e3e620486feeee5c50bce069ec6dc6cc610890b8a5e8ccd83
                                  • Instruction ID: 93ae0c4b5b2707d0a43ae9508810564f7cac32857ca0e9ea783d29f633df72e3
                                  • Opcode Fuzzy Hash: 28d96e2673f9a49e3e620486feeee5c50bce069ec6dc6cc610890b8a5e8ccd83
                                  • Instruction Fuzzy Hash: F5F07FB5904A06EBDB158F61C4047DAFBB4FB88718F15421AD42C67750D778B4658BC0
                                  Function 021EEC1C Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 201 21eec1c-21eec36 202 21eec41-21eec85 201->202
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f9cf13c5f0af17542948d67fd709994989a3e1192f98bb7130dee8e8d80da46f
                                  • Instruction ID: 4951fd54e4654d78262255a8d8a28cd118b918c95a8aff145fe059737a1adbe2
                                  • Opcode Fuzzy Hash: f9cf13c5f0af17542948d67fd709994989a3e1192f98bb7130dee8e8d80da46f
                                  • Instruction Fuzzy Hash: CCF092B5904A06EBDB15CF65C4047DAFBB4BB88714F15421AC42C67750D778B469CBC0
                                  Function 021EDA35 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 203 21eda35-21eda4f 204 21eda5a-21eda8e 203->204
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 2be9648f54ae2962a50832f3bb125c0444b9bd5e5e7fa4fcae0e7d14fe9fad62
                                  • Instruction ID: 5e4248139713d00810672f45d9035cebdabeeb2e6c821ffac3eb9bbbd682fe75
                                  • Opcode Fuzzy Hash: 2be9648f54ae2962a50832f3bb125c0444b9bd5e5e7fa4fcae0e7d14fe9fad62
                                  • Instruction Fuzzy Hash: 9CF0C2B6D00A0AEBDB248F61C4047DAFBB5BB48714F15421AC42C63710D378B465CBC0
                                  Function 021F49AA Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 211 21f49aa-21f49c4 212 21f49cf-21f4a03 211->212
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 36aa873315dac6622d9c4172415655903896bdf9bc31f53e326498dc9e2bb54e
                                  • Instruction ID: 124faf879e5fee81b8c61a7b20cbed7dc42663c171b9aed890cb1616acd5b541
                                  • Opcode Fuzzy Hash: 36aa873315dac6622d9c4172415655903896bdf9bc31f53e326498dc9e2bb54e
                                  • Instruction Fuzzy Hash: 46F0CAB6D00A0AABDB248FA1C4047CAFBB4BB88714F15421AC42C67720D3B8B469CBC0
                                  Function 021EDE6E Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 205 21ede6e-21ede88 206 21ede93-21edec7 205->206
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 685f6a71e2b85ff15fd6e54e3fdf508a7c54429eef657d3d55f4db938ac674e9
                                  • Instruction ID: 2610b27d0a20b94a37a2273633eb8086520f3b164aa8a96ea010233188dd71bf
                                  • Opcode Fuzzy Hash: 685f6a71e2b85ff15fd6e54e3fdf508a7c54429eef657d3d55f4db938ac674e9
                                  • Instruction Fuzzy Hash: 53F0CAB6D00A0AABDB248F61C4047CAFBB5BB88714F15421AC42C63720C7B8B469CBC0
                                  Function 021F3C76 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 207 21f3c76-21f3c90 208 21f3c9b-21f3ccf 207->208
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 823b6fa0f2a9f8a916f2c76600e972e903eae10390c33d59b379a6fcb42fd4aa
                                  • Instruction ID: 5b2795097cc251768c5213f67005134bf12bd1c9559dacd8cf82ff311e747589
                                  • Opcode Fuzzy Hash: 823b6fa0f2a9f8a916f2c76600e972e903eae10390c33d59b379a6fcb42fd4aa
                                  • Instruction Fuzzy Hash: EEF0C2B6D00A0AABDB248F61C4047CAFBB5BB48714F15421AC42C67710D378B465CBC0
                                  Function 021F45E9 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 209 21f45e9-21f4603 210 21f460e-21f4642 209->210
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 039a22a69f489da6245c06ab397d7d258550831d4bf2f1d62b69ab7d5270fedc
                                  • Instruction ID: 9049d6b93b5464bb1f199c09edb6acfe169c86eb71b83cadd22ab182030bd468
                                  • Opcode Fuzzy Hash: 039a22a69f489da6245c06ab397d7d258550831d4bf2f1d62b69ab7d5270fedc
                                  • Instruction Fuzzy Hash: 3FF0C2B6D00A0AABDB248F61C4047CAFBB5BB48714F15421AC52C63710D3B8B465CBC0
                                  Function 021F4EF4 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule

                                  Control-flow Graph

                                  • Executed
                                  • Not Executed
                                  control_flow_graph 213 21f4ef4-21f4f0d 214 21f4f18-21f4f4c 213->214
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E2000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a521827c4c3758a88c9df7e976ba2aa992454c943d6c7b392191d35d415b2f2d
                                  • Instruction ID: 6a216791711135957e80c3d23f76882af4568a0fd46c8165e5a53ce2f70f4e66
                                  • Opcode Fuzzy Hash: a521827c4c3758a88c9df7e976ba2aa992454c943d6c7b392191d35d415b2f2d
                                  • Instruction Fuzzy Hash: A6F0CAB6D00A0AABDB24CF61C10438AFBB1BB88B18F15421AC42C63710C3B8B865CBC0

                                  Non-executed Functions

                                  Function 021E03C0 Relevance: .1, Instructions: 70COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.00000000021E0000.00000040.00000800.00020000.00000000.sdmp, Offset: 021E0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_21e0000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
                                  • Instruction ID: 281e8255bd7316724eb123ad34e054553762004790f6efe5bfe8cd266bce9a8d
                                  • Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
                                  • Instruction Fuzzy Hash: 0D21C4BA5442568FDF358F198C403D9B7A5EB58314F21482EEECAA7710D3306A898B51
                                  Function 0228DEE9 Relevance: .0, Instructions: 47COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000002.00000002.2107042717.0000000002285000.00000040.00000800.00020000.00000000.sdmp, Offset: 02285000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_2_2_2285000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 35cfca38a64c3ff3937ba3edcbc8bb1544487143f9c1f7a554a90dce2bed6829
                                  • Instruction ID: d80f39aca5c87c5e874190d0985c3c095158185e79a5596655d3cef11b0c67d0
                                  • Opcode Fuzzy Hash: 35cfca38a64c3ff3937ba3edcbc8bb1544487143f9c1f7a554a90dce2bed6829
                                  • Instruction Fuzzy Hash: FCF01EA240E3C18FC3039B348C366813F704E63205B2E45EBD081DF0E3E25A4A6AD322

                                  Executed Functions

                                  Function 02699712 Relevance: .3, Instructions: 315COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.0000000002694000.00000040.00000800.00020000.00000000.sdmp, Offset: 02694000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_2694000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 4debf801f5538d6f2086f7deff882ceba787b860b22c621c9e505c8d2f607fc3
                                  • Instruction ID: 9176f4e15f67df4142a1caaa61237fcbdfce40ecae56192904f42147265d2708
                                  • Opcode Fuzzy Hash: 4debf801f5538d6f2086f7deff882ceba787b860b22c621c9e505c8d2f607fc3
                                  • Instruction Fuzzy Hash: 11D12C71A09340CFCB14DF28C19062ABBF6FF89314F65896EE4899B355DB35E842CB85
                                  Function 025FD9A5 Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b5bb82079d9e6eb367caf1ff0f16426c61008afe04fc178084c85e7a07c5d032
                                  • Instruction ID: 2cd2da288057e10f646a3d7a716e9666a4d46c2790ec94d76eaf96e2275216d6
                                  • Opcode Fuzzy Hash: b5bb82079d9e6eb367caf1ff0f16426c61008afe04fc178084c85e7a07c5d032
                                  • Instruction Fuzzy Hash: 828101B5A06601DFDB98CF24C594BA9FBB1FF49314F08819DCA1A4B381DB34A844CF99
                                  Function 025F0672 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f0000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction ID: ebf06449e9b170535c69a169433d540cff984b6a350fb2dad1e2fea236cd3d09
                                  • Opcode Fuzzy Hash: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction Fuzzy Hash: 1C118BB2D0122ACFCF54DF48C4814AEF7B0FB88314F9A8565DD65A338AE3346920CB84
                                  Function 025F0722 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f0000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction ID: 9561e824dc2d31e313b4523dabf61d30761a7535411fa4f4abcfd29d0c84303b
                                  • Opcode Fuzzy Hash: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction Fuzzy Hash: 73F01576C00269DB8B54DF48C4400ADBBB1FB04218B2E8496DD2937282D332AD62CF85
                                  Function 02604B78 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e187c82ed45c78622e4dd3988438db360b90e7f3fa8f38634429e9d56270929f
                                  • Instruction ID: ad3471e21e0487ea14f16b944a1f0e74d13a5b004bc2722b4bbbc225c309ebd6
                                  • Opcode Fuzzy Hash: e187c82ed45c78622e4dd3988438db360b90e7f3fa8f38634429e9d56270929f
                                  • Instruction Fuzzy Hash: 06F0DFB5900A06EBDB158F21C0047DAFBB4FB88718F04421AC42C53350C778B4258BC0
                                  Function 02606495 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 52ffe016053e153dc7b789a788ed1f45b21f27d7c31c34435a8f1ea0b5138847
                                  • Instruction ID: a2df857ce0f484a91f81c7bafe6ab7f78a9ccb930144d15e92544e86f430023b
                                  • Opcode Fuzzy Hash: 52ffe016053e153dc7b789a788ed1f45b21f27d7c31c34435a8f1ea0b5138847
                                  • Instruction Fuzzy Hash: 34F09BBAA04A16EBDB65CF65C4047CAFBB4BB88714F18421AC52C67750D778B469CBC0
                                  Function 025FDA35 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 559e9b7c3bd7af2f0a06b3c3e54564f3c9cd4e63e584fdabfae50a26364f8f23
                                  • Instruction ID: 9dead9c361f08cdb1bbceb8603c74497909b3ec64f0e09e92cc3feccc07fbcef
                                  • Opcode Fuzzy Hash: 559e9b7c3bd7af2f0a06b3c3e54564f3c9cd4e63e584fdabfae50a26364f8f23
                                  • Instruction Fuzzy Hash: 15F0CAB6D00A0AEBDB648F61C4047DAFBB5BB88714F18421AC52C63760D378B469CBC0
                                  Function 026049AA Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 84d0567c5e068ed5f19ada4ea555e135f1697db72c7645de366639d52a3c685c
                                  • Instruction ID: 3bc7f4be36d6e3e38f783f7d9b9aef4484d7bff0f291d9b27db51ca64f03c7ae
                                  • Opcode Fuzzy Hash: 84d0567c5e068ed5f19ada4ea555e135f1697db72c7645de366639d52a3c685c
                                  • Instruction Fuzzy Hash: B2F0CAB6D00A0AABDB648F61C4047CAFBB4BB88714F18421AC52C67760D378B469CBC0
                                  Function 02603C76 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 871014fae8ec2739e35e9fc2ccde755733df6eeeb17649caab616a8414328bb2
                                  • Instruction ID: d9340c744d9a2f7c9476f542fa81d41203450647dfe931f8f796c8caac2d5bf2
                                  • Opcode Fuzzy Hash: 871014fae8ec2739e35e9fc2ccde755733df6eeeb17649caab616a8414328bb2
                                  • Instruction Fuzzy Hash: ADF0CAB6D00A0AABDB648F61C4047CAFBB4BB88718F18421AC52C67760D378B469CBC0
                                  Function 026045E9 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 0ad844c91e7822a7d9fdd7881f9d3f6255bdf03f0b88616460f7ac0d4e5be3f5
                                  • Instruction ID: 1363e50b45b7523b40b5594af42cd6b2d04ff7b3c7b36a6ab5168c9c7069cb6c
                                  • Opcode Fuzzy Hash: 0ad844c91e7822a7d9fdd7881f9d3f6255bdf03f0b88616460f7ac0d4e5be3f5
                                  • Instruction Fuzzy Hash: C1F0C2B6D00A0AABDB648F61C4047CAFBB5BB48714F18421AC52C63750D378B465CBC0
                                  Function 02604EF4 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000006.00000002.3313239856.00000000025F2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025F2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_6_2_25f2000_java.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 55068363a179808ff8adbda808d647f0594cc1ebda3e1186bc16dd0167e864f3
                                  • Instruction ID: 0827f331b216591348247f47d7ce42546f67b20de73b84a1ba562fca4cd2f0bd
                                  • Opcode Fuzzy Hash: 55068363a179808ff8adbda808d647f0594cc1ebda3e1186bc16dd0167e864f3
                                  • Instruction Fuzzy Hash: B3F0CAB6D00A0AABDB64CF61C10438AFBB0BB88B18F18421AC52C63750C378B865CBC0

                                  Executed Functions

                                  Function 0273D9A5 Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: c8939b551eb31f18e8cf572139624a43387a764828dd2e0d7bd4f8844f4da222
                                  • Instruction ID: ca97aee1c25a36fc1f4ecf69559d48bc9c4916d962da7515196e0379439bf4f3
                                  • Opcode Fuzzy Hash: c8939b551eb31f18e8cf572139624a43387a764828dd2e0d7bd4f8844f4da222
                                  • Instruction Fuzzy Hash: 8681F2B5A05601DFDB2ACF24C598BA9FBB1FF49314F08819DC81A5B382DB74A844CF91
                                  Function 02730672 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2730000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction ID: 74084ed7ab7207d03c4f7ac0f829dea3bd270ce8b33f161845c955d4d78331ef
                                  • Opcode Fuzzy Hash: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction Fuzzy Hash: 8E115BB6D0122ADFCF29CF48C8854ADB7B0FB98314F564525DC65A3346D3346920CB91
                                  Function 02730722 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002730000.00000040.00000800.00020000.00000000.sdmp, Offset: 02730000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2730000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction ID: 78f60022a0974a36fdcb69038b4b99f488fc958f5c74b90c60ecda39ce3fc1c5
                                  • Opcode Fuzzy Hash: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction Fuzzy Hash: 99F0A576C0026ADB8F15DF48C4411ADB7B1FB45218B1A8496DC6977242D332AD62CF91
                                  Function 02744B78 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f2d0383d914a5806bf74978bd55417e44112a4ad0a97f167cad2842694aa52ed
                                  • Instruction ID: 843f23184692fb64719cd33fac704ac3366a2a9d678cef477346dbae32585b96
                                  • Opcode Fuzzy Hash: f2d0383d914a5806bf74978bd55417e44112a4ad0a97f167cad2842694aa52ed
                                  • Instruction Fuzzy Hash: 82F07FB5904A16EBDB158F61C0047DAFBB4FB88718F15421AD42C57750D778B4658BC0
                                  Function 0273EC1C Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3d16abf04063330b2807043bc62311ee9e89f1f88e581f6de70d10a5d2f64618
                                  • Instruction ID: 6d42b9a9ae836fae638d34fd495064ed7c9f6cabebb5fdcbbef067a0b5fd4d63
                                  • Opcode Fuzzy Hash: 3d16abf04063330b2807043bc62311ee9e89f1f88e581f6de70d10a5d2f64618
                                  • Instruction Fuzzy Hash: 0BF09BB6A04A16EBDB29CF65C0047DAFBB4BB88718F14421AC42C67750D778B469CBC0
                                  Function 02746495 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f27598e741fcd0169a982e926e2bd13dfcf7329e687e22a5ac1192a7ac046116
                                  • Instruction ID: a069b1a5095812e89b5a4e11e1b6ba5ed37ae8d7b61a81b2c1713167d5a2abe5
                                  • Opcode Fuzzy Hash: f27598e741fcd0169a982e926e2bd13dfcf7329e687e22a5ac1192a7ac046116
                                  • Instruction Fuzzy Hash: 13F09BBAA04A16EBDB26CF65C0047CAFBB4BB88714F14421AC42C67750D778B469CBC0
                                  Function 0273DA35 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f093a8c92a12da2e7997628f7555c19a281c99d1b78c4b0d1341a125ca6cbdcc
                                  • Instruction ID: f8af5831635631395034736d5d14ae489762d318f3d8d6913969c51a4fc9a8ed
                                  • Opcode Fuzzy Hash: f093a8c92a12da2e7997628f7555c19a281c99d1b78c4b0d1341a125ca6cbdcc
                                  • Instruction Fuzzy Hash: 23F0CAB6D00A1AEBDB258F61C0047DAFBB5BB88714F18421AC42C63720D378B469CBC0
                                  Function 027449AA Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8ec4b860cd3be0775996a6a7ede614c34ecd422f06de926f970d605f89578b26
                                  • Instruction ID: 714a233bb201f932bdeda96b96a6fd5ae7f344f36b23a112cf2a54fdb2f6edaa
                                  • Opcode Fuzzy Hash: 8ec4b860cd3be0775996a6a7ede614c34ecd422f06de926f970d605f89578b26
                                  • Instruction Fuzzy Hash: 1BF0CAB6D00A1AEBDB258F61C0047CAFBB4BB88714F14421AC42C67720D378B469CBC0
                                  Function 02743C76 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78f2976dc8734433e635892ad604479f7dccd3e74bd26fc056f02b79da840adf
                                  • Instruction ID: 299bb40c728aa745d6a580eaabc7c48c0b2e1086972f4921951e08c5ad67183f
                                  • Opcode Fuzzy Hash: 78f2976dc8734433e635892ad604479f7dccd3e74bd26fc056f02b79da840adf
                                  • Instruction Fuzzy Hash: 31F0CAB6D00A1AEBDB258F61C0047CAFBB4BB88718F14421AC42C67720D378B469CBC0
                                  Function 027445E9 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fa1894e41bfec77d066e1d9b2c5116c5d7967cda713651a4e32e52a041eb57da
                                  • Instruction ID: fdce5e147cc67ec7d3587df43933447dcc73993c5bb13024bb826723a008d72f
                                  • Opcode Fuzzy Hash: fa1894e41bfec77d066e1d9b2c5116c5d7967cda713651a4e32e52a041eb57da
                                  • Instruction Fuzzy Hash: 60F0C2B6D00A1AEBDB258F61C0047CAFBB5BB48714F14421AC52C63710D378B465CBC0
                                  Function 02744EF4 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000016.00000002.3313036391.0000000002732000.00000040.00000800.00020000.00000000.sdmp, Offset: 02732000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_22_2_2732000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 037072e6fff45633f1344eb25163d48e3ce8e482e22d9a64befafd9aec734f3a
                                  • Instruction ID: a4f33da4a20b24eaad473abe1a349af89f53c0bff4acb7307e907abd52339518
                                  • Opcode Fuzzy Hash: 037072e6fff45633f1344eb25163d48e3ce8e482e22d9a64befafd9aec734f3a
                                  • Instruction Fuzzy Hash: A8F0CAB6D00A1AEBDB25CF61C10438AFBB0BB88B18F14421AC42C63710C378B865CBC0

                                  Executed Functions

                                  Function 0269D9A5 Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 14c9c4c28452d6d29f86cf3a05f7875803d8aeb45b5a9c33dc1c9223bfaa251a
                                  • Instruction ID: 8a73c2199f558de37c66660295f7d0e3cf645f9b3b8997d463e2cd60215577e3
                                  • Opcode Fuzzy Hash: 14c9c4c28452d6d29f86cf3a05f7875803d8aeb45b5a9c33dc1c9223bfaa251a
                                  • Instruction Fuzzy Hash: 56819AB5A04601DFDF18EF64C594BA9FBB9FF49318F0881ADD91A4B381CB34A855CB90
                                  Function 02690672 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2690000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction ID: 0bc83e756462810871be40042cb60a138694cdfc91ee0ab677e6a9206fd1e25b
                                  • Opcode Fuzzy Hash: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction Fuzzy Hash: B0115BB6D0022ADFCF18CF48C4954ADB7B8FB98324F664525DD65A7341DB356920CB90
                                  Function 02690722 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002690000.00000040.00000800.00020000.00000000.sdmp, Offset: 02690000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2690000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction ID: b49887d7550fd412368cfc72768fe3b1408f833cfde2ef67ae2a16ae336b795e
                                  • Opcode Fuzzy Hash: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction Fuzzy Hash: 07F01576C00229DB8F14DF48C4800ADB7B1EB04228B2A8496DC283B341D732AD62CF81
                                  Function 026A4B78 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: cf1a2a46cd0bc853aec6a983be9384a26d140716f2bf4716a6232be1c86a3090
                                  • Instruction ID: 3cbe3048d6bcb559e295c05d8eaf941758289b8bc761f94506e4817ee49a6575
                                  • Opcode Fuzzy Hash: cf1a2a46cd0bc853aec6a983be9384a26d140716f2bf4716a6232be1c86a3090
                                  • Instruction Fuzzy Hash: 8FF07FB5904A06EBDB158F61C0047DAFBB4FB88718F15421AD42C57750D778B4658BC0
                                  Function 0269EC1C Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 711dcf2e940bae4002ebfc5840ec45d27047981d7f3ba22c322a24a636b606ae
                                  • Instruction ID: 42fd53cf63cb51115d013c6787d846eab325f07bb903166699ef8265a93b2012
                                  • Opcode Fuzzy Hash: 711dcf2e940bae4002ebfc5840ec45d27047981d7f3ba22c322a24a636b606ae
                                  • Instruction Fuzzy Hash: 4BF09BB6A04A06EBDB29CF65C0047DAFBB4BB88718F14421AC42C67750D778B469CBC0
                                  Function 026A6495 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: a2e25134146de3a6bca6a09939f3e502f53365b349627a9b5dd916fee0f6b839
                                  • Instruction ID: 3c3ed50033a6492e6206f56ff044dc60fb53254854bc65327628b674876aff73
                                  • Opcode Fuzzy Hash: a2e25134146de3a6bca6a09939f3e502f53365b349627a9b5dd916fee0f6b839
                                  • Instruction Fuzzy Hash: E8F09BBAA04A16EBDB25CF65C0047DAFBB4BB88714F14421AC42C67750D778B469CBC0
                                  Function 0269DA35 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 9f1f8f63cba19263b21a74792fc069ef15e17432446d73487b7a6767207ec804
                                  • Instruction ID: c3a2c7e09ae1ab6a925eeef721cbefb9ef94613543b75cc56d68e49044568cbb
                                  • Opcode Fuzzy Hash: 9f1f8f63cba19263b21a74792fc069ef15e17432446d73487b7a6767207ec804
                                  • Instruction Fuzzy Hash: 42F0CAB6D00A0AEBDB248F61C0047DAFBB9BB88714F18421AC42C63720D778B469CBC0
                                  Function 026A49AA Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8787c76eca0865bc3840208dd59c8255c9246566b1bcc6430ff393f0e2922ef8
                                  • Instruction ID: 813f1507e0630b44dd3ac37fd322ee2f10ac8eaf99333ca825925ef6379c8a4a
                                  • Opcode Fuzzy Hash: 8787c76eca0865bc3840208dd59c8255c9246566b1bcc6430ff393f0e2922ef8
                                  • Instruction Fuzzy Hash: 1AF0CAB6D00A0AABDB248F61C0047DAFBB8BB88714F14421AC42C67720D778B469CBC0
                                  Function 026A3C76 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 98d3ac9d6aa6e9d19b0d10db3bd5827fa341069175d3de84cf23a526955be6e3
                                  • Instruction ID: 02f2afb4be6b41a4f88a2b38269208b0404677f54bd3b3ea91c1254a528f0395
                                  • Opcode Fuzzy Hash: 98d3ac9d6aa6e9d19b0d10db3bd5827fa341069175d3de84cf23a526955be6e3
                                  • Instruction Fuzzy Hash: 06F0CAB6D00A0AABDB248F61C0047DAFBB8BB88718F14421AC42C67720D778B469CBC0
                                  Function 026A45E9 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ff2159a2c73576239d788b14f7246b4417b7543ebdeb9449117b6a4388da34ae
                                  • Instruction ID: 48af8921787dfb6f25ffe4292047a7066a77b7ac42c49fdcda5f2065ccc9476e
                                  • Opcode Fuzzy Hash: ff2159a2c73576239d788b14f7246b4417b7543ebdeb9449117b6a4388da34ae
                                  • Instruction Fuzzy Hash: 00F0C2B6D00A0AABDB248F61C0047DAFBB5BB48714F14421AC52C63710D778B465CBC0
                                  Function 026A4EF4 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000018.00000002.3313020882.0000000002692000.00000040.00000800.00020000.00000000.sdmp, Offset: 02692000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_24_2_2692000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 59ae529802d24167bde96237fcf3205b230c9076213827116b0593f79ba2b246
                                  • Instruction ID: 0b71f9c57ea4dfcb08133f4b1e88a909aafe6114f22fcd8c42d8d79c9f823c22
                                  • Opcode Fuzzy Hash: 59ae529802d24167bde96237fcf3205b230c9076213827116b0593f79ba2b246
                                  • Instruction Fuzzy Hash: B0F0CAB6D00A0AABDB24CF61C10439AFBB4BB88B18F14421AC42C63710C778B865CBC0

                                  Executed Functions

                                  Function 025BD9A5 Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7c6debcf3d091d5062659f5c9045d36b901b4d6736d2fb9b539251c29f69a4af
                                  • Instruction ID: 5836aa152d0ab56092f9df1360185fba813153267ea4e6d8b56f1775dc1c913f
                                  • Opcode Fuzzy Hash: 7c6debcf3d091d5062659f5c9045d36b901b4d6736d2fb9b539251c29f69a4af
                                  • Instruction Fuzzy Hash: 708179B5A06601DFDB1ACF24C594BE9FBB1FF49314F088599C81A5B381CB35A844CF99
                                  Function 025B0672 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b0000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction ID: 1e7688d0d7d70130f51cfd3412226f538e83ef0dc84a5028db1f2edebff52c08
                                  • Opcode Fuzzy Hash: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction Fuzzy Hash: F81149B690022A9FCF25CF58C4854EEB7B0FF98314B564565DC65A3781D3346920CB94
                                  Function 025B0722 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B0000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b0000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction ID: 23d7d02b915f004f1cff10daff478f8ffcde58f1d8cddf2b404c3d710424ce31
                                  • Opcode Fuzzy Hash: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction Fuzzy Hash: 70F01576C00229DB8B15DF48C4410EEFBB1FF04218B2A8496DC2937681D332AD62CF85
                                  Function 025C4B78 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7058c54dcabddae9a5e041c9fa0cc546b52d103b29b6e8b8d834e4ee5f3a4c5e
                                  • Instruction ID: d4360c9dda7e6b5a1ef1137e5a06fc1138ef30684cb2f2badd6f91ec74587d28
                                  • Opcode Fuzzy Hash: 7058c54dcabddae9a5e041c9fa0cc546b52d103b29b6e8b8d834e4ee5f3a4c5e
                                  • Instruction Fuzzy Hash: 4BF07FB5904A06EBDB158F61C0047DAFBB4FB88718F15421AD42C57750D778B4658BC0
                                  Function 025BEC1C Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 25e1ab94c7927d245035cec082806283646d4bf259d5ccff8f619937cda9c659
                                  • Instruction ID: 298166fb6f2d262b35be39807a6e479861232ce13d68b39c2368a968941c3495
                                  • Opcode Fuzzy Hash: 25e1ab94c7927d245035cec082806283646d4bf259d5ccff8f619937cda9c659
                                  • Instruction Fuzzy Hash: B1F09BB6A04A06EBDB29CF65C0047DAFBB4BB88718F14421AC42C67750D778B469CBC0
                                  Function 025C6495 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e89fd47cb902d47da9aeece326625e309a4cafa3e3f2a446c5bbdd654a64fe61
                                  • Instruction ID: f5873628034575a322f4ac9873e0746d7a462cd3488776ee33709891ae3dbcd4
                                  • Opcode Fuzzy Hash: e89fd47cb902d47da9aeece326625e309a4cafa3e3f2a446c5bbdd654a64fe61
                                  • Instruction Fuzzy Hash: 4AF09BBAA04A16EBDB26CF65C0047CAFBB4BB88714F14421AC42C67750D778B469CBC0
                                  Function 025BDA35 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: fab5d40888c036579d85c7bdcb38bc5abfaf6b5749c84d784763184eda3aaf9e
                                  • Instruction ID: 159cb81d6f6fbee8ecae1afaefcd30c5664cf1c3c7b01808d3a72a43b0ecab69
                                  • Opcode Fuzzy Hash: fab5d40888c036579d85c7bdcb38bc5abfaf6b5749c84d784763184eda3aaf9e
                                  • Instruction Fuzzy Hash: 16F0CAB6D00A0AEBDB258F61C0047DAFBB5BB88714F18421AC42C63760D378B469CBC0
                                  Function 025C49AA Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: f07b88d73e0ec5c4d2186b11507ba6c1046c6012640820ed68e3c6d936305ad9
                                  • Instruction ID: 073b13ebf1cbfe8c2e62f4110393de1ebf92bea27e82b69b7dd002a71b640c41
                                  • Opcode Fuzzy Hash: f07b88d73e0ec5c4d2186b11507ba6c1046c6012640820ed68e3c6d936305ad9
                                  • Instruction Fuzzy Hash: EFF0CAB6D00A0AABDB258F61C0047CAFBB4BB88714F14421AC42C67760D378B469CBC0
                                  Function 025C3C76 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 66905acb10d4d5c2a2b4d144ec631bf0841d71935e9ebd162f21dbd41ebe5382
                                  • Instruction ID: 6c094402507742ab58cf0e9909078f7d5013c14af20fc49539d0d06fb9f8099b
                                  • Opcode Fuzzy Hash: 66905acb10d4d5c2a2b4d144ec631bf0841d71935e9ebd162f21dbd41ebe5382
                                  • Instruction Fuzzy Hash: E1F0CAB6D00A0AABDB658F61C0047CAFBB4BB88718F14421AC42C67760D378B469CBC0
                                  Function 025C45E9 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 75ca1a6797cf1898ddaafb79ea7483560e097ce511d2eec78d55133cb07ec96a
                                  • Instruction ID: 59f6946bfbef9b6f716eba75e08a2d90a79863af4ad84602ad4e8a1eb1f78c4a
                                  • Opcode Fuzzy Hash: 75ca1a6797cf1898ddaafb79ea7483560e097ce511d2eec78d55133cb07ec96a
                                  • Instruction Fuzzy Hash: 3BF0C2B6D00A0AABDB258F61C0047CAFBB5BB48714F14421AC52C63750D378B465CBC0
                                  Function 025C4EF4 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 00000019.00000002.3313171913.00000000025B2000.00000040.00000800.00020000.00000000.sdmp, Offset: 025B2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_25_2_25b2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 8b68c116487bf99feb76bfbe47a8f88fd18509c67aad8fdcbf620be4d8587933
                                  • Instruction ID: da84d9354c0c552b4dbc3c3644dff50e036abeb0c2d8ebe9da73839925a0ee19
                                  • Opcode Fuzzy Hash: 8b68c116487bf99feb76bfbe47a8f88fd18509c67aad8fdcbf620be4d8587933
                                  • Instruction Fuzzy Hash: 21F0CAB6D00A0AABDB25CF61C1043CAFBB0BF88B18F14421AC42C63750C378B865CBC0

                                  Executed Functions

                                  Function 028CD9A5 Relevance: .2, Instructions: 199COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 7e22967ca5d9236736a7339123b76dc715bdfcf57f3a9c46b3130bbab3d40f9c
                                  • Instruction ID: 4e8bdfeadbe45c64c44c0ed5156d7c1b09ed5566756a661191c968100f3ebbee
                                  • Opcode Fuzzy Hash: 7e22967ca5d9236736a7339123b76dc715bdfcf57f3a9c46b3130bbab3d40f9c
                                  • Instruction Fuzzy Hash: F48199BDA04601DFDB18EF24C594BA9F7B1FB49314F2881ADD81A8B381CB34E855CB91
                                  Function 028C0672 Relevance: .1, Instructions: 57COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c0000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction ID: 3988639e7c1f52c4555b9fae6eb822783231c106c190eff00e9bcecbb6ba789f
                                  • Opcode Fuzzy Hash: ed75e148c468f5adb501353e2aad55fe9f6ba1d7e63b2f06930a3a0182af5efc
                                  • Instruction Fuzzy Hash: 70115EBAD0022ADFCF18DF48C8859ADB7B0FB98354F654529DC69E3342D334A920CB91
                                  Function 028C0722 Relevance: .0, Instructions: 22COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C0000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c0000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction ID: 87c39504b351238dad6560093c7a3e91d95477f8595e30bf3bf5846d61d00f98
                                  • Opcode Fuzzy Hash: 3a88776f8235f6b0c93d982b0301c995d4e8eee1a694dd39eb109f49dc123123
                                  • Instruction Fuzzy Hash: 1DF0A57EC00269DB8B18DF48C5411ADF7B1EB45258B2A84AADC6DB7241D332AD62CF91
                                  Function 028D4B78 Relevance: .0, Instructions: 21COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: e641b714c3d0a855abaf0036ad6194c66d4f4192b0bb096ca018cfe0256196df
                                  • Instruction ID: 849e53d9107d93704a9b10e2762fff649162eac11507b38e16be52ff3969c4c1
                                  • Opcode Fuzzy Hash: e641b714c3d0a855abaf0036ad6194c66d4f4192b0bb096ca018cfe0256196df
                                  • Instruction Fuzzy Hash: 8FF07FB5904A06EBDB15CF61C0047DAFBB4FB88718F15421AD42C57750D778B4658BC0
                                  Function 028D6495 Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 182bccd8c9c713b3bec344db8028b2b00879d269a8631275f96fe9df8ddf0c19
                                  • Instruction ID: a83a1bc5f02da96b6cd0ac5a3add2e250b986e019799d62339c81d3b2cdbcfb5
                                  • Opcode Fuzzy Hash: 182bccd8c9c713b3bec344db8028b2b00879d269a8631275f96fe9df8ddf0c19
                                  • Instruction Fuzzy Hash: C8F09BBAA04B16EBDB25CF65C0047CAFBB4BB88714F14421AC42C67750D778B469CBC0
                                  Function 028CEC1C Relevance: .0, Instructions: 20COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 78cbd87c3ef34f7eb5dc14dbd70cb3a12b68ded4a53b67c3667d1c16b16f913f
                                  • Instruction ID: 7a19851bbb6cc22e1630bf75846d92802e6b19c078ce284d378a6c582be32206
                                  • Opcode Fuzzy Hash: 78cbd87c3ef34f7eb5dc14dbd70cb3a12b68ded4a53b67c3667d1c16b16f913f
                                  • Instruction Fuzzy Hash: 4AF09BBAA04B06EBDB29CF65C0047DAFBB4BB88718F14421AC42C67750D778B469CBC0
                                  Function 028CDA35 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: b0c8b92c9f496da88e240a88a9eef6781acb200999e99238a57a524231508324
                                  • Instruction ID: fc04b55e0f64bba9a1e6b23fa557697c5ffbca23f6922a21a9e16ca400445ee9
                                  • Opcode Fuzzy Hash: b0c8b92c9f496da88e240a88a9eef6781acb200999e99238a57a524231508324
                                  • Instruction Fuzzy Hash: FCF0C2B6D00A0AEBDB24CF61C0047DAFBB5BB48714F14421AC42C67710D378B465CBC0
                                  Function 028D49AA Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 440f2ae946b10613732737d5257bff69c7165368633b13349eed823f746d2b08
                                  • Instruction ID: de2f105e9fbe4464fed1a277516aa6fde05369295745373ba839139c5d3d420c
                                  • Opcode Fuzzy Hash: 440f2ae946b10613732737d5257bff69c7165368633b13349eed823f746d2b08
                                  • Instruction Fuzzy Hash: E9F0C2B6D00A06EBDB24CF61C0047CAFBB4BB48714F14421AC42C67710D378B465CBC0
                                  Function 028D3C76 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 311e6cb6899586dd5d2d04a6ac6354508a1cf4b826b46c9b51154c35b6647575
                                  • Instruction ID: 67d901d4e341c05a7bfaf3466d36d37968cec55c158e204e32f2235e9c672379
                                  • Opcode Fuzzy Hash: 311e6cb6899586dd5d2d04a6ac6354508a1cf4b826b46c9b51154c35b6647575
                                  • Instruction Fuzzy Hash: E1F0C2B6D00A0AEBDB24CF61C0047CAFBB4BB48714F14421AC42C67710D378B465CBC0
                                  Function 028D45E9 Relevance: .0, Instructions: 18COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: ec45381b56c35e00e9f9a35d0a1b589fa5b7e03c1415b24b11728d618dd5d37c
                                  • Instruction ID: 1779faf48e17536c20584db070fb67a3ff6f007ee18caf0ed7bedb14ac60ded2
                                  • Opcode Fuzzy Hash: ec45381b56c35e00e9f9a35d0a1b589fa5b7e03c1415b24b11728d618dd5d37c
                                  • Instruction Fuzzy Hash: AEF0C2B6D00A0AEBDB24CF61C0047CAFBB5BB48714F14421AC52C67710D378B465CBC0
                                  Function 028D4EF4 Relevance: .0, Instructions: 17COMMON
                                  Download Yara Rule
                                  Memory Dump Source
                                  • Source File: 0000001A.00000002.3312918244.00000000028C2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028C2000, based on PE: false
                                  Joe Sandbox IDA Plugin
                                  • Snapshot File: hcaresult_26_2_28c2000_javaw.jbxd
                                  Similarity
                                  • API ID:
                                  • String ID:
                                  • API String ID:
                                  • Opcode ID: 576eeb1ab5625e4a739d496e2c81af9bf5b1be414feb191b87d517d68fcebfb2
                                  • Instruction ID: f591a8eee4aa6c861b61c7c60743ecf1118c0900d39be0c9137ccbbcdf7856c8
                                  • Opcode Fuzzy Hash: 576eeb1ab5625e4a739d496e2c81af9bf5b1be414feb191b87d517d68fcebfb2
                                  • Instruction Fuzzy Hash: F0F0CABAD00A0AEBDB24CF61C10478AFBB0BB88B18F14421AC42C67710C378B865CBC0