Windows Analysis Report
RICHIESTA-QUOTAZIONI.jar

Overview

General Information

Sample name:	RICHIESTA-QUOTAZIONI.jar
Analysis ID:	1430749
MD5:	0d46ea03546bc6a9760d3ef9f15e84e7
SHA1:	3ee2e6f7ccf50b4be839d71376ba5fea8dde8acd
SHA256:	6da5b5cc7e2e2f07562156216d39aa49ed6fa30273b7669605ef78e4dc1be367
Tags:	jarRATSTRRAT
Infos:

Detection

STRRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected STRRAT

Creates autostart registry keys to launch java

Creates autostart registry keys with suspicious names

Exploit detected, runtime environment starts unknown processes

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Suspicious Startup Folder Persistence

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AllatoriJARObfuscator

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java Jar is obfuscated using Allatori

Launches a Java Jar file from a suspicious file location

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Shell Process Spawned by Java.EXE

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Signatures

AV Detection

Antivirus detection for URL or domain

Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	URL Reputation: Label: malware
Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	URL Reputation: Label: malware
Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5Cj	Avira URL Cloud: Label: malware
Source: http://jbfrost.live/strigoi/server/?hwid	Avira URL Cloud: Label: malware

Found malware configuration

Source: RICHIESTA-QUOTAZIONI.jar

Malware Configuration Extractor: STRRAT {"C2 list": "elastsolek21.duckdns.org:4781", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "zekeriyasolek45.duckdns.org:4781", "lid": "WFC9-W4KB-388F-9KY1-S6JV", "Startup": "true", "Secondary Startup": "true", "Scheduled Task": "true"}

Multi AV Scanner detection for domain / URL

Source: elastsolek21.duckdns.org

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: RICHIESTA-QUOTAZIONI.jar	ReversingLabs: Detection: 18%
Source: RICHIESTA-QUOTAZIONI.jar	Virustotal: Detection: 17%			Perma Link

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\cmd.exe

Found inlined nop instructions (likely shell or obfuscated code)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

7_2_022B38CC

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2030358 ET TROJAN STRRAT CnC Checkin 192.168.2.4:49730 -> 107.172.148.197:4781

Uses dynamic DNS services

Source: unknown

DNS query: name: elastsolek21.duckdns.org

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 107.172.148.197:4781

IP address seen in connection with other malware

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 107.172.148.197 107.172.148.197

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

May check the online IP address of the machine

Source: unknown

DNS query: name: ip-api.com

Uses a known web browser user agent for HTTP communication

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Connection: close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: unknown

DNS traffic detected: queries for: elastsolek21.duckdns.org

Source: java.exe, 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.00000000099F9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.0000000015688000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1829703245.0000000014ECD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014ED4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1851754217.0000000014F21000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852198405.0000000014F28000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852746345.0000000014F39000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3007651577.0000000014F40000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910324996.0000000015BAB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3007017298.0000000015BB2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3006783753.00000000150CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.00000000099F9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt1HH
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.00000000099F9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009A02000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009A02000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A602000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.0000000015688000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1829703245.0000000014ECD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014ED4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1851754217.0000000014F21000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852198405.0000000014F28000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852746345.0000000014F39000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3007651577.0000000014F40000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910324996.0000000015BAB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3007017298.0000000015BB2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3006783753.00000000150CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crls
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009A02000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009A02000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A602000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009A08000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A608000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.2985944545.0000000009C08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.0000000015688000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1829703245.0000000014ECD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014ED4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1851754217.0000000014F21000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852198405.0000000014F28000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852746345.0000000014F39000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3007651577.0000000014F40000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910324996.0000000015BAB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3007017298.0000000015BB2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3006783753.00000000150CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.1782413352.000000000A150000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.1776760705.0000000005038000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000004D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid
Source: javaw.exe, 00000018.00000002.2976036777.0000000004983000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
Source: java.exe, 00000002.00000002.1776760705.000000000504B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5Cj
Source: java.exe, 00000002.00000002.1782413352.000000000A413000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1787049784.00000000159B2000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.00000000154E0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014EFD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009B17000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2975772765.0000000004833000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3005052322.0000000014AC2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910717611.0000000015B83000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910788908.0000000015B9B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2976481957.0000000005434000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3006909903.0000000015BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.00000000099F9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.0000000015688000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1829703245.0000000014ECD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014ED4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1851754217.0000000014F21000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852198405.0000000014F28000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852746345.0000000014F39000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3007651577.0000000014F40000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910324996.0000000015BAB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3007017298.0000000015BB2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3006783753.00000000150CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comc
Source: java.exe, 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.allatori.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: java.exe PID: 6644, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: java.exe PID: 6716, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: javaw.exe PID: 6164, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: javaw.exe PID: 7260, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: C:\cmdlinestart.log, type: DROPPED	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen

Yara signature match

Source: 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: java.exe PID: 6644, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: java.exe PID: 6716, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: javaw.exe PID: 6164, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: javaw.exe PID: 7260, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: C:\cmdlinestart.log, type: DROPPED	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator

Source: classification engine

Classification label: mal100.troj.expl.evad.winJAR@39/12@2/2

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\4781lock.file

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll

Source: Yara match	File source: 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: java.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: C:\cmdlinestart.log, type: DROPPED

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AAC2CD push ecx; retn 0022h	2_2_02AAC382
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AB0788 push cs; ret	2_2_02AB07D1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AAC013 push es; iretd	2_2_02AAC01A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AAB9DB push es; iretd	2_2_02AAB9DE
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AAB9D6 push es; iretd	2_2_02AAB9DA
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0D8F7 push 00000000h; mov dword ptr [esp], esp	2_2_02A0D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0A20A push ecx; ret	2_2_02A0A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0A21B push ecx; ret	2_2_02A0A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0B3B7 push 00000000h; mov dword ptr [esp], esp	2_2_02A0B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0BB67 push 00000000h; mov dword ptr [esp], esp	2_2_02A0BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0D8E0 push 00000000h; mov dword ptr [esp], esp	2_2_02A0D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0B947 push 00000000h; mov dword ptr [esp], esp	2_2_02A0B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0C477 push 00000000h; mov dword ptr [esp], esp	2_2_02A0C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220A20A push ecx; ret	7_2_0220A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220A21B push ecx; ret	7_2_0220A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220BB67 push 00000000h; mov dword ptr [esp], esp	7_2_0220BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220B3B7 push 00000000h; mov dword ptr [esp], esp	7_2_0220B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220B947 push 00000000h; mov dword ptr [esp], esp	7_2_0220B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220C477 push 00000000h; mov dword ptr [esp], esp	7_2_0220C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_022AD72D push es; retn 0001h	7_2_022AD83F
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_022A9091 push cs; retf	7_2_022A90B1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_022AF0E0 pushfd ; retf	7_2_022AF0E1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_022B25C8 push es; retn 0024h	7_2_022B25CB
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239A21B push ecx; ret	13_2_0239A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239A20A push ecx; ret	13_2_0239A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239BB67 push 00000000h; mov dword ptr [esp], esp	13_2_0239BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239B3B7 push 00000000h; mov dword ptr [esp], esp	13_2_0239B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239B947 push 00000000h; mov dword ptr [esp], esp	13_2_0239B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239C477 push 00000000h; mov dword ptr [esp], esp	13_2_0239C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 23_2_02E5D6EC push es; retn 0001h	23_2_02E5D7FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 23_2_02E59091 push cs; retf	23_2_02E590B1

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RICHIESTA-QUOTAZIONI.jar			Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI	Jump to behavior

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Source: javaw.exe, 00000018.00000003.1939022188.0000000014A61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 0000000D.00000002.2972683921.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'Mj
Source: javaw.exe, 00000018.00000003.1939022188.0000000014A61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.1774930911.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2972988604.000000000079B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2972683921.0000000000701000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2972938604.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.2973138920.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000017.00000003.1857665278.0000000015463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.1774930911.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2972988604.000000000079B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2972683921.0000000000701000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2972938604.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.2973138920.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.1752579676.000000001506F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1775931243.0000000014868000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1799563606.000000001486B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1857665278.0000000015463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000018.00000002.2973138920.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;Kpj
Source: javaw.exe, 00000017.00000002.2972938604.00000000012A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMK
Source: java.exe, 00000002.00000002.1774930911.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQL
Source: java.exe, 00000007.00000002.2972988604.000000000079B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6644 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6716 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6164 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7260 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7428 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7720 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7852 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
107.172.148.197	elastsolek21.duckdns.org	United States		36352	AS-COLOCROSSINGUS	true

ID:	1430749
Product:	CloudBasic
Start time:	06:44:09
Start date:	24.04.2024
Sample:	RICHIESTA-QUOTAZIONI.jar
Cookbook:	defaultwindowsfilecookbook.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	0d46ea03546bc6a9760d3ef9f15e84e7
SHA1:	3ee2e6f7ccf50b4be839d71376ba5fea8dde8acd
SHA256:	6da5b5cc7e2e2f07562156216d39aa49ed6fa30273b7669605ef78e4dc1be367
Filetype:	Java Archive (13504/1) 62.80%

Name	Type	MD5	SHA1	SHA256
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RICHIESTA-QUOTAZIONI.jar	Zip archive data, at least v2.0 to extract, compression method=deflate	0D46EA03546BC6A9760D3EF9F15E84E7	3EE2E6F7CCF50B4BE839D71376BA5FEA8DDE8ACD	6DA5B5CC7E2E2F07562156216D39AA49ED6FA30273B7669605EF78E4DC1BE367
C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp	ASCII text, with CRLF line terminators	BEFDE95C6C7C8C9BDFE863149B26AB14	F6CBC96089452705C285F5965E6308B560618EE8	22780202C2CAB65D2D337AAFFAB1F8648957B7C2408A6F63CEA5169B4F6566D3
C:\Users\user\AppData\Local\Temp\hsperfdata_user\6164	data	5CB42D5691932248F210CCBCD7CD404D	5EA74DBE8A3DFFD6DFD3E1658F27213C043A7561	C3C95C3CCFFD4D0D2CC3630C4C51BA373DF8603BBCCDDD729AD280590AEFC7EE
C:\Users\user\AppData\Local\Temp\hsperfdata_user\6644	data	56F8AB2D2D6DF67243500EE7C4C1AD70	BA9CBBCC83FA9BE545D913AA61DB6E033A9E97B0	6EE28E5008AF1267A16B3854FBEECEC0D93FE5DB81622BD73BFED23C9FD8FA77
C:\Users\user\AppData\Local\Temp\hsperfdata_user\6716	data	4BC72ABA11DC3BA822E4630D4991FB99	B5D40F2FD16107D91E6242DFC17BA357D9BC71F3	812F3DC83461F1F0EE9A24DF1981D91C466D7FC245299B576B4A96C0A5EEF465
C:\Users\user\AppData\Local\Temp\hsperfdata_user\7260	data	CED4E6F86CCACBADE629D68123782005	E4BBB98E07E7FAFEE512B571713799A29A3E3D57	9E679CF089F1A902E5A7C165B4EE1824F67CC543ACCD72EAD3C1FA7B5A8BB3C0
C:\Users\user\AppData\Local\Temp\hsperfdata_user\7428	data	4E0AD2044F437F0F6BC2F75EA9B1E0D1	6CED3CCC312AFDDF2F8350C4A79DF20F9FECA853	E4A3C6F2F16E8ECF022E302504EB762D0EB717AC29D56A7787E9A0F1A3695EC8
C:\Users\user\AppData\Local\Temp\hsperfdata_user\7720	data	88F23478711E5BA7D1A80614B199BAEB	3A2E090A9DF6B4AF770F1BD29006DD9C9A839B8E	E0F81C7A79F94C421F2C9D03B630E2E6A28BDC1C5FEDDF9FB92B2EFB98FDC39E
C:\Users\user\AppData\Local\Temp\hsperfdata_user\7852	data	714D8AC8CACCD4FCFD6BE49E95CFE0D1	016ABD930224DC3EA6DAB326ECC03946458D5A3D	F41273F04F6D2D3B5D66176D512D4632E47ECEFDE323EB8AD276020F48E88964
C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar	Zip archive data, at least v2.0 to extract, compression method=deflate	0D46EA03546BC6A9760D3EF9F15E84E7	3EE2E6F7CCF50B4BE839D71376BA5FEA8DDE8ACD	6DA5B5CC7E2E2F07562156216D39AA49ED6FA30273B7669605EF78E4DC1BE367
C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar	Zip archive data, at least v2.0 to extract, compression method=deflate	0D46EA03546BC6A9760D3EF9F15E84E7	3EE2E6F7CCF50B4BE839D71376BA5FEA8DDE8ACD	6DA5B5CC7E2E2F07562156216D39AA49ED6FA30273B7669605EF78E4DC1BE367
C:\cmdlinestart.log	ASCII text, with CRLF, LF line terminators	C2D33480DF68FF210A93DA4E644F45B4	A4C13A730A24041A31B5F8255543466C0606E431	41DE3008B2F7D4F2E3007878B01BB2CCC0F5FACF7BCE5DD8DF76C17E08B19D2A

Windows Analysis Report RICHIESTA-QUOTAZIONI.jar

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Contacted Domains

Contacted URLs

Windows Analysis Report
RICHIESTA-QUOTAZIONI.jar