Edit tour

Windows Analysis Report
RICHIESTA-QUOTAZIONI.jar

Overview

General Information

Sample name:	RICHIESTA-QUOTAZIONI.jar
Analysis ID:	1430749
MD5:	0d46ea03546bc6a9760d3ef9f15e84e7
SHA1:	3ee2e6f7ccf50b4be839d71376ba5fea8dde8acd
SHA256:	6da5b5cc7e2e2f07562156216d39aa49ed6fa30273b7669605ef78e4dc1be367
Tags:	jarRATSTRRAT
Infos:

Detection

STRRAT

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for submitted file

Snort IDS alert for network traffic

Yara detected STRRAT

Creates autostart registry keys to launch java

Creates autostart registry keys with suspicious names

Exploit detected, runtime environment starts unknown processes

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Sigma detected: Suspicious Startup Folder Persistence

Uses dynamic DNS services

Uses schtasks.exe or at.exe to add and modify task schedules

Yara detected AllatoriJARObfuscator

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to detect virtual machines (SLDT)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Found inlined nop instructions (likely shell or obfuscated code)

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

Java Jar is obfuscated using Allatori

Launches a Java Jar file from a suspicious file location

May check the online IP address of the machine

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Shell Process Spawned by Java.EXE

Sigma detected: Startup Folder File Write

Sigma detected: Suspicious Schtasks From Env Var Folder

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Yara signature match

Classification

Process Tree

System is w10x64

cmd.exe (PID: 7132 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"" >> C:\cmdlinestart.log 2>&1 MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6504 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

java.exe (PID: 6644 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

icacls.exe (PID: 6300 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)

conhost.exe (PID: 6284 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6168 cmdline: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 5764 cmdline: schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar" MD5: 48C2FE20575769DE916F48EF0676A965)

java.exe (PID: 6716 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar" MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)

conhost.exe (PID: 1196 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

cmd.exe (PID: 6304 cmdline: cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6576 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 648 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cmd.exe (PID: 6504 cmdline: cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6696 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 2488 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cmd.exe (PID: 6648 cmdline: cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 6528 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 6572 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list MD5: E2DE6500DE1148C7F6027AD50AC8B891)

cmd.exe (PID: 7176 cmdline: cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list" MD5: D0FCE3AFA6AA1D58CE9FA336CC2B675B)

conhost.exe (PID: 7184 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

WMIC.exe (PID: 7224 cmdline: wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list MD5: E2DE6500DE1148C7F6027AD50AC8B891)

javaw.exe (PID: 6164 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

javaw.exe (PID: 7260 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

javaw.exe (PID: 7428 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

javaw.exe (PID: 7720 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

javaw.exe (PID: 7852 cmdline: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar" MD5: 6E0F4F812AE02FBCB744A929E74A04B8)

cleanup

Malware Configuration

Threatname: STRRAT

{"C2 list": "elastsolek21.duckdns.org:4781", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "zekeriyasolek45.duckdns.org:4781", "lid": "WFC9-W4KB-388F-9KY1-S6JV", "Startup": "true", "Secondary Startup": "true", "Scheduled Task": "true"}

Yara Signatures

Dropped Files

Source	Rule	Description	Author	Strings
C:\cmdlinestart.log	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
C:\cmdlinestart.log	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x158:$s1: # Obfuscation by Allatori Obfuscator

Memory Dumps

Source	Rule	Description	Author	Strings
00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x2e24:$s1: # Obfuscation by Allatori Obfuscator
00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x2864:$s1: # Obfuscation by Allatori Obfuscator
0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x2b5c:$s1: # Obfuscation by Allatori Obfuscator
00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0xb87c:$s1: # Obfuscation by Allatori Obfuscator
0000001D.00000002.2985937389.0000000009F67000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x2b5c:$s1: # Obfuscation by Allatori Obfuscator
0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x3454:$s1: # Obfuscation by Allatori Obfuscator
00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x311c:$s1: # Obfuscation by Allatori Obfuscator
0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x2dfc:$s1: # Obfuscation by Allatori Obfuscator
00000018.00000002.2985944545.0000000009B68000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x283c:$s1: # Obfuscation by Allatori Obfuscator
0000001C.00000002.2985487072.000000000A168000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x2cf4:$s1: # Obfuscation by Allatori Obfuscator
00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x20e4:$s1: # Obfuscation by Allatori Obfuscator
00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x1549c:$s1: # Obfuscation by Allatori Obfuscator
00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x2844:$s1: # Obfuscation by Allatori Obfuscator
00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x311c:$s1: # Obfuscation by Allatori Obfuscator
Process Memory Space: java.exe PID: 6644	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
Process Memory Space: java.exe PID: 6644	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: java.exe PID: 6644	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x6e539:$s1: # Obfuscation by Allatori Obfuscator 0x3200bb:$s1: # Obfuscation by Allatori Obfuscator
Process Memory Space: java.exe PID: 6716	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
Process Memory Space: java.exe PID: 6716	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: java.exe PID: 6716	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x22394b:$s1: # Obfuscation by Allatori Obfuscator 0x34dd1f:$s1: # Obfuscation by Allatori Obfuscator
Process Memory Space: javaw.exe PID: 6164	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
Process Memory Space: javaw.exe PID: 6164	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: javaw.exe PID: 6164	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x2089a1:$s1: # Obfuscation by Allatori Obfuscator 0x24bd65:$s1: # Obfuscation by Allatori Obfuscator
Process Memory Space: javaw.exe PID: 7260	JoeSecurity_STRRAT	Yara detected STRRAT	Joe Security
Process Memory Space: javaw.exe PID: 7260	JoeSecurity_Allatori_JAR_Obfuscator	Yara detected Allatori_JAR_Obfuscator	Joe Security
Process Memory Space: javaw.exe PID: 7260	INDICATOR_JAVA_Packed_Allatori	Detects files packed with Allatori Java Obfuscator	ditekSHen	0x238a9:$s1: # Obfuscation by Allatori Obfuscator 0x2a74a:$s1: # Obfuscation by Allatori Obfuscator
Click to see the 41 entries

Sigma Signatures

System Summary

Sigma detected: Suspicious Startup Folder Persistence

Source: File created

Author: Nasreddine Bencherchali (Nextron Systems): Data: EventID: 11, Image: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ProcessId: 6644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ProcessId: 6644, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\RICHIESTA-QUOTAZIONI

Sigma detected: Shell Process Spawned by Java.EXE

Source: Process started

Author: Andreas Hunkeler (@Karneades), Nasreddine Bencherchali: Data: Command: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", CommandLine: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", CommandLine|base64offset|contains: rg, Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar" , ParentImage: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ParentProcessId: 6644, ParentProcessName: java.exe, ProcessCommandLine: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", ProcessId: 6168, ProcessName: cmd.exe

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ProcessId: 6644, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar

Sigma detected: Suspicious Schtasks From Env Var Folder

Source: Process started

Author: Florian Roth (Nextron Systems): Data: Command: schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", CommandLine: schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", CommandLine|base64offset|contains: mj,, Image: C:\Windows\SysWOW64\schtasks.exe, NewProcessName: C:\Windows\SysWOW64\schtasks.exe, OriginalFileName: C:\Windows\SysWOW64\schtasks.exe, ParentCommandLine: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6168, ParentProcessName: cmd.exe, ProcessCommandLine: schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", ProcessId: 5764, ProcessName: schtasks.exe

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar", EventID: 13, EventType: SetValue, Image: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe, ProcessId: 6644, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\RICHIESTA-QUOTAZIONI

Snort Signatures

ET TROJAN STRRAT CnC Checkin - Source IP: 192.168.2.4 - Destination IP: 107.172.148.197

Timestamp:	04/24/24-06:47:10.647172
SID:	2030358
Source Port:	49730
Destination Port:	4781
Protocol:	TCP
Classtype:	A Network Trojan was detected

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus detection for URL or domain

Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	URL Reputation: Label: malware
Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	URL Reputation: Label: malware
Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5Cj	Avira URL Cloud: Label: malware
Source: http://jbfrost.live/strigoi/server/?hwid	Avira URL Cloud: Label: malware

Found malware configuration

Source: RICHIESTA-QUOTAZIONI.jar

Malware Configuration Extractor: STRRAT {"C2 list": "elastsolek21.duckdns.org:4781", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "zekeriyasolek45.duckdns.org:4781", "lid": "WFC9-W4KB-388F-9KY1-S6JV", "Startup": "true", "Secondary Startup": "true", "Scheduled Task": "true"}

Multi AV Scanner detection for domain / URL

Source: elastsolek21.duckdns.org

Virustotal: Detection: 11%

Perma Link

Multi AV Scanner detection for submitted file

Source: RICHIESTA-QUOTAZIONI.jar	ReversingLabs: Detection: 18%
Source: RICHIESTA-QUOTAZIONI.jar	Virustotal: Detection: 17%			Perma Link

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\cmd.exe

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Code function: 4x nop then cmp eax, dword ptr [ecx+04h]

7_2_022B38CC

Networking

Snort IDS alert for network traffic

Source: Traffic

Snort IDS: 2030358 ET TROJAN STRRAT CnC Checkin 192.168.2.4:49730 -> 107.172.148.197:4781

Uses dynamic DNS services

Source: unknown

DNS query: name: elastsolek21.duckdns.org

Source: global traffic

TCP traffic: 192.168.2.4:49730 -> 107.172.148.197:4781

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 107.172.148.197 107.172.148.197

Source: Joe Sandbox View

ASN Name: AS-COLOCROSSINGUS AS-COLOCROSSINGUS

Source: unknown

DNS query: name: ip-api.com

Source: global traffic

HTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Connection: close

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic

Source: unknown

DNS traffic detected: queries for: elastsolek21.duckdns.org

Source: java.exe, 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.00000000099F9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.0000000015688000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1829703245.0000000014ECD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014ED4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1851754217.0000000014F21000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852198405.0000000014F28000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852746345.0000000014F39000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3007651577.0000000014F40000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910324996.0000000015BAB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3007017298.0000000015BB2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3006783753.00000000150CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.00000000099F9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt1HH
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.00000000099F9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009A02000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009A02000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A602000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.0000000015688000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1829703245.0000000014ECD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014ED4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1851754217.0000000014F21000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852198405.0000000014F28000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852746345.0000000014F39000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3007651577.0000000014F40000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910324996.0000000015BAB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3007017298.0000000015BB2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3006783753.00000000150CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crls
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009A02000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009A02000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A602000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009A09000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009A08000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A608000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.2985944545.0000000009C08000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.0000000015688000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1829703245.0000000014ECD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014ED4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1851754217.0000000014F21000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852198405.0000000014F28000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852746345.0000000014F39000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3007651577.0000000014F40000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910324996.0000000015BAB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3007017298.0000000015BB2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3006783753.00000000150CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.1782413352.000000000A150000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.1776760705.0000000005038000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000004D9F000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid
Source: javaw.exe, 00000018.00000002.2976036777.0000000004983000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
Source: java.exe, 00000002.00000002.1776760705.000000000504B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5Cj
Source: java.exe, 00000002.00000002.1782413352.000000000A413000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1787049784.00000000159B2000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.00000000154E0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014EFD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009B17000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2975772765.0000000004833000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3005052322.0000000014AC2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910717611.0000000015B83000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910788908.0000000015B9B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2976481957.0000000005434000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3006909903.0000000015BA2000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.00000000099F9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.00000000099F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.0000000015688000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1829703245.0000000014ECD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014ED4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1851754217.0000000014F21000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852198405.0000000014F28000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1852746345.0000000014F39000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3007651577.0000000014F40000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910324996.0000000015BAB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3007017298.0000000015BB2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.3006783753.00000000150CC000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.1782413352.000000000A250000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A355000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.1776760705.0000000005127000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.comc
Source: java.exe, 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.allatori.com

System Summary

Malicious sample detected (through community Yara rule)

Source: 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: java.exe PID: 6644, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: java.exe PID: 6716, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: javaw.exe PID: 6164, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: javaw.exe PID: 7260, type: MEMORYSTR	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: C:\cmdlinestart.log, type: DROPPED	Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen

Source: 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: java.exe PID: 6644, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: java.exe PID: 6716, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: javaw.exe PID: 6164, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: javaw.exe PID: 7260, type: MEMORYSTR	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: C:\cmdlinestart.log, type: DROPPED	Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator

Source: classification engine

Classification label: mal100.troj.expl.evad.winJAR@39/12@2/2

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\4781lock.file

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7184:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6576:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6696:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6528:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6284:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: RICHIESTA-QUOTAZIONI.jar	ReversingLabs: Detection: 18%
Source: RICHIESTA-QUOTAZIONI.jar	Virustotal: Detection: 17%

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Source: unknown	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar"
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list	Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32

Jump to behavior

Data Obfuscation

Yara detected AllatoriJARObfuscator

Source: Yara match	File source: 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: java.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 7260, type: MEMORYSTR
Source: Yara match	File source: C:\cmdlinestart.log, type: DROPPED

Source: Java tracing

Executes: java.io.Writer.write(java.lang.String) on Obfuscation by Allatori Obfuscator v8.7 DEMO ## ## http://www.allatori.com

Source: Java tracing

Executes: java.lang.ProcessBuilder(java.lang.String[]) on "c:\program files (x86)\java\jre-1.8\bin\java.exe" -jar "c:\users\user\appdata\roaming\richiesta-quotazioni.jar"

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AAC2CD push ecx; retn 0022h	2_2_02AAC382
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AB0788 push cs; ret	2_2_02AB07D1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AAC013 push es; iretd	2_2_02AAC01A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AAB9DB push es; iretd	2_2_02AAB9DE
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02AAB9D6 push es; iretd	2_2_02AAB9DA
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0D8F7 push 00000000h; mov dword ptr [esp], esp	2_2_02A0D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0A20A push ecx; ret	2_2_02A0A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0A21B push ecx; ret	2_2_02A0A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0B3B7 push 00000000h; mov dword ptr [esp], esp	2_2_02A0B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0BB67 push 00000000h; mov dword ptr [esp], esp	2_2_02A0BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0D8E0 push 00000000h; mov dword ptr [esp], esp	2_2_02A0D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0B947 push 00000000h; mov dword ptr [esp], esp	2_2_02A0B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 2_2_02A0C477 push 00000000h; mov dword ptr [esp], esp	2_2_02A0C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220A20A push ecx; ret	7_2_0220A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220A21B push ecx; ret	7_2_0220A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220BB67 push 00000000h; mov dword ptr [esp], esp	7_2_0220BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220B3B7 push 00000000h; mov dword ptr [esp], esp	7_2_0220B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220B947 push 00000000h; mov dword ptr [esp], esp	7_2_0220B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_0220C477 push 00000000h; mov dword ptr [esp], esp	7_2_0220C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_022AD72D push es; retn 0001h	7_2_022AD83F
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_022A9091 push cs; retf	7_2_022A90B1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_022AF0E0 pushfd ; retf	7_2_022AF0E1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 7_2_022B25C8 push es; retn 0024h	7_2_022B25CB
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239A21B push ecx; ret	13_2_0239A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239A20A push ecx; ret	13_2_0239A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239BB67 push 00000000h; mov dword ptr [esp], esp	13_2_0239BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239B3B7 push 00000000h; mov dword ptr [esp], esp	13_2_0239B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239B947 push 00000000h; mov dword ptr [esp], esp	13_2_0239B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 13_2_0239C477 push 00000000h; mov dword ptr [esp], esp	13_2_0239C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 23_2_02E5D6EC push es; retn 0001h	23_2_02E5D7FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 23_2_02E59091 push cs; retf	23_2_02E590B1

Boot Survival

Creates autostart registry keys to launch java

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"

Jump to behavior

Creates autostart registry keys with suspicious names

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI

Jump to behavior

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar			Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	File created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RICHIESTA-QUOTAZIONI.jar			Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Malware Analysis System Evasion

Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT VolumeSerialNumber FROM win32_logicaldisk

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Code function: 2_2_02AADAE9 sldt word ptr [eax]

2_2_02AADAE9

Source: C:\Windows\System32\conhost.exe

Last function: Thread delayed

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\

Source: javaw.exe, 00000018.00000003.1939022188.0000000014A61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 0000000D.00000002.2972683921.00000000006D8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll'Mj
Source: javaw.exe, 00000018.00000003.1939022188.0000000014A61000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.1774930911.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2972988604.000000000079B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2972683921.0000000000701000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2972938604.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.2973138920.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000017.00000003.1857665278.0000000015463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.1774930911.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2972988604.000000000079B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2972683921.0000000000701000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2972938604.00000000012A8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000018.00000002.2973138920.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.1752579676.000000001506F000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1775931243.0000000014868000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.1799563606.000000001486B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1857665278.0000000015463000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000018.00000002.2973138920.0000000000978000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll;Kpj
Source: javaw.exe, 00000017.00000002.2972938604.00000000012A8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMK
Source: java.exe, 00000002.00000002.1774930911.0000000000FBB000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllQL
Source: java.exe, 00000007.00000002.2972988604.000000000079B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Memory protected: page read and write | page guard

Jump to behavior

Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Code function: 2_2_02A003C0 cpuid

2_2_02A003C0

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6644 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6716 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\6164 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7260 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7428 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7720 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7852 VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\4781lock.file VolumeInformation

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

WMI Queries: IWbemServices::ExecQuery - root\securitycenter2 : SELECT displayName FROM antivirusproduct

Stealing of Sensitive Information

Yara detected STRRAT

Source: Yara match	File source: 0000001D.00000002.2985937389.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2985944545.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2985487072.000000000A168000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: java.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 7260, type: MEMORYSTR

Remote Access Functionality

Yara detected STRRAT

Source: Yara match	File source: 0000001D.00000002.2985937389.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000018.00000002.2985944545.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 0000001C.00000002.2985487072.000000000A168000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: java.exe PID: 6644, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: java.exe PID: 6716, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 6164, type: MEMORYSTR
Source: Yara match	File source: Process Memory Space: javaw.exe PID: 7260, type: MEMORYSTR

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	11 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	111 Security Software Discovery	Remote Services	Data from Local System	1 Non-Standard Port	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	221 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	1 Virtualization/Sandbox Evasion	LSASS Memory	1 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Ingress Tool Transfer	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	1 Exploitation for Client Execution	1 Services File Permissions Weakness	221 Registry Run Keys / Startup Folder	1 Disable or Modify Tools	Security Account Manager	1 Process Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	2 Non-Application Layer Protocol	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	1 DLL Side-Loading	1 Services File Permissions Weakness	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	112 Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	1 DLL Side-Loading	3 Obfuscated Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	Fallback Channels	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	1 Services File Permissions Weakness	Cached Domain Credentials	21 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	1 DLL Side-Loading	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
RICHIESTA-QUOTAZIONI.jar	18%	ReversingLabs	ByteCode-JAVA.Trojan.Generic
RICHIESTA-QUOTAZIONI.jar	17%	Virustotal		Browse

Source	Detection	Scanner	Label	Link
elastsolek21.duckdns.org	12%	Virustotal		Browse

URLs

Source	Detection	Scanner	Label
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	100%	URL Reputation	malware
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	100%	URL Reputation	malware
http://www.allatori.com	0%	URL Reputation	safe
http://bugreport.sun.com/bugreport/	0%	URL Reputation	safe
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5Cj	100%	Avira URL Cloud	malware
http://jbfrost.live/strigoi/server/?hwid	100%	Avira URL Cloud	malware

Domains and IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
elastsolek21.duckdns.org	107.172.148.197	true	true	12%, Virustotal, Browse	unknown
ip-api.com	208.95.112.1	true	false		high

Contacted URLs

Name	Malicious	Antivirus Detection	Reputation
http://ip-api.com/json/	false		high

URLs from Memory and Binaries

Name	Source	Malicious	Antivirus Detection	Reputation
http://java.oracle.com/	java.exe, 00000002.00000002.1782413352.000000000A150000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009998000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009997000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A597000.00000004.00000800.00020000.00000000.sdmp	false		high
http://null.oracle.com/	java.exe, 00000002.00000002.1782413352.000000000A413000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1787049784.00000000159B2000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.1786567624.00000000154E0000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.3003604185.0000000014EFD000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009B17000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2975772765.0000000004833000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.3005052322.0000000014AC2000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910717611.0000000015B83000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000003.1910788908.0000000015B9B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2976481957.0000000005434000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.3006909903.0000000015BA2000.00000004.00000020.00020000.00000000.sdmp	false		high
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5Cj	java.exe, 00000002.00000002.1776760705.000000000504B000.00000004.00000800.00020000.00000000.sdmp	false	Avira URL Cloud: malware	unknown
http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5	javaw.exe, 00000018.00000002.2976036777.0000000004983000.00000004.00000800.00020000.00000000.sdmp	true	URL Reputation: malware URL Reputation: malware	unknown
http://www.allatori.com	java.exe, 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown
http://jbfrost.live/strigoi/server/?hwid	java.exe, 00000002.00000002.1776760705.0000000005038000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.1776760705.0000000004D9F000.00000004.00000800.00020000.00000000.sdmp	true	Avira URL Cloud: malware	unknown
http://bugreport.sun.com/bugreport/	java.exe, 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp	false	URL Reputation: safe	unknown

World Map of Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
208.95.112.1	ip-api.com	United States		53334	TUT-ASUS	false
107.172.148.197	elastsolek21.duckdns.org	United States		36352	AS-COLOCROSSINGUS	true

General Information

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1430749
Start date and time:	2024-04-24 06:44:09 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 8m 9s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	31
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	HCA enabled EGA enabled GSI enabled (Java) AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	RICHIESTA-QUOTAZIONI.jar
Detection:	MAL
Classification:	mal100.troj.expl.evad.winJAR@39/12@2/2
EGA Information:	Successful, ratio: 14.3%
HCA Information:	Successful, ratio: 91% Number of executed functions: 72 Number of non-executed functions: 3
Cookbook Comments:	Found application associated with file extension: .jar

Warnings

Exclude process from analysis (whitelisted): MpCmdRun.exe, WMIADAP.exe, SIHClient.exe, conhost.exe
Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
Execution Graph export aborted for target java.exe, PID 6716 because it is empty
Execution Graph export aborted for target javaw.exe, PID 6164 because it is empty
Execution Graph export aborted for target javaw.exe, PID 7260 because it is empty
Execution Graph export aborted for target javaw.exe, PID 7428 because it is empty
Execution Graph export aborted for target javaw.exe, PID 7720 because it is empty
Execution Graph export aborted for target javaw.exe, PID 7852 because it is empty
Not all processes where analyzed, report is missing behavior information
Report size exceeded maximum capacity and may have missing behavior information.
Report size getting too big, too many NtSetInformationFile calls found.

Simulations

Behavior and APIs

Time	Type	Description
05:45:10	Autostart	Run: HKCU\Software\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
05:45:12	Task Scheduler	Run new task: Skype path: C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar
05:45:18	Autostart	Run: HKLM\Software\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
05:45:26	Autostart	Run: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run RICHIESTA-QUOTAZIONI "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
05:45:35	Autostart	Run: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar
06:45:13	API Interceptor	4x Sleep call for process: WMIC.exe modified

Joe Sandbox View / Context

IPs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
208.95.112.1	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	ip-api.com/line/?fields=hosting
	X1.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	ip-api.com/line/?fields=hosting
	X2.exe	Get hash	malicious	XWorm	Browse	ip-api.com/line/?fields=hosting
	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	ip-api.com/line/?fields=hosting
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	ip-api.com/line/?fields=hosting
	Wire Transfer Payment Receipt#2024-22-04.exe	Get hash	malicious	AgentTesla	Browse	ip-api.com/line/?fields=hosting
107.172.148.197	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse
	Attachment.jar	Get hash	malicious	STRRAT	Browse
	SOLICITUD-DE-COTIZACION.jar	Get hash	malicious	STRRAT	Browse
	SOLICITUD-DE-COTIZACION.jar	Get hash	malicious	STRRAT	Browse
	PEDIDO-DE-COTIZACION.jar	Get hash	malicious	STRRAT	Browse

Domains

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
elastsolek21.duckdns.org	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	107.172.148.197
	Attachment.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
	SOLICITUD-DE-COTIZACION.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
	SOLICITUD-DE-COTIZACION.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
	PEDIDO-DE-COTIZACION.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
	Talep-Formu.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
	FIYAT-ISTEMI.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
	TEKLIF-ISTEME.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
	TEKLIF-ISTEME.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
	Isteme-Formu.jar	Get hash	malicious	STRRAT	Browse	194.147.140.188
ip-api.com	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X2.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

ASNs

Match	Associated Sample Name / URL	SHA 256	Detection	Threat Name	Link	Context
AS-COLOCROSSINGUS	768.xla.xlsx	Get hash	malicious	Unknown	Browse	23.95.60.77
	cb9YYjPyUR.jar	Get hash	malicious	STRRAT	Browse	107.172.148.197
	TcnD64eVFK.exe	Get hash	malicious	Remcos	Browse	107.175.229.143
	Comprobante.xlam.xlsx	Get hash	malicious	GuLoader	Browse	23.95.60.77
	Gam.xls	Get hash	malicious	Unknown	Browse	23.94.36.10
	Quotation.xls	Get hash	malicious	Remcos	Browse	107.175.229.143
	Gam.xls	Get hash	malicious	Unknown	Browse	23.94.36.10
	Gam.xls	Get hash	malicious	Unknown	Browse	23.94.36.10
	https://39.104-168-101-28.cprapid.com/Pay-PaI/	Get hash	malicious	PayPal Phisher	Browse	104.168.101.28
	x86_64.crdownload.0.dr	Get hash	malicious	Unknown	Browse	104.168.45.11
TUT-ASUS	explorer.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X1.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	Output.exe	Get hash	malicious	RedLine, XWorm	Browse	208.95.112.1
	X2.exe	Get hash	malicious	XWorm	Browse	208.95.112.1
	55HUe105hhh123333.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	PI88009454 007865EQ.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	file.exe	Get hash	malicious	GuLoader, PXRECVOWEIWOEI Stealer	Browse	208.95.112.1
	Request for Quotation.exe	Get hash	malicious	AgentTesla	Browse	208.95.112.1
	Factura E24000319v00. SL.exe	Get hash	malicious	AgentTesla, PureLog Stealer, RedLine	Browse	208.95.112.1
	QUOTATION_APRQTRA031244#U00faPDF.scr.exe	Get hash	malicious	AgentTesla, PureLog Stealer	Browse	208.95.112.1

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	modified
Size (bytes):	65702
Entropy (8bit):	7.9559843386873546
Encrypted:	false
SSDEEP:	1536:sobZKi+D2XJ1BvxVqflObfGLKw5+lqSwbGGxVnjmIQUXt/Z:fMi/VvxwflpPxPRnag9/Z
MD5:	0D46EA03546BC6A9760D3EF9F15E84E7
SHA1:	3EE2E6F7CCF50B4BE839D71376BA5FEA8DDE8ACD
SHA-256:	6DA5B5CC7E2E2F07562156216D39AA49ED6FA30273B7669605EF78E4DC1BE367
SHA-512:	E0A5D48B6B98AE045776E17EB60A51896E4417B6E5017CB396B2BE96B6B3B490A631DAC94025BF33497C7E41173ACC6EE0432588FAF2D2011BB15B5A1BD10A02
Malicious:	false
Preview:	PK........w..X................kingDavid/k.class.9.\|...3o.o.\|..%@...Bb.>..@8.I@..!\KX.B...&.......(bmk[.U...X..w........z.....5.....l .W~..c..g..s_=v....6..1.i... ....5-.wD7.n.@.X......9.........@...A..f...B...t.?.3..U...Z."d.<.@....iq..8C...$..?...n...r.<~f#...<.P.C..W..w;.N.<..N_(@d.).Sw....}........w@.\^7.......u.$.@..v....?.r.H.I..p.]A......'.u3..... .g..Ng...i./.!&.\....qKN=.3@...\".L...n.<.......gvb......D.?.....O...]...H.`..%...\....\|.<....).w<N.."....i..+...\N/+.n.........W.....$.....A.4...!.x.........r....0...r......u.].,....C..Jz.R#Y./.M.{<AbX...'.?.2.v...")gd. .d..K.n....{.c..$GHQ$..z<./2.y.......].R...E(n.SM.$.......TV0..{..&.`........~A..'.P.7...E.../.Z...3k..;...XS.D+EQ9.>1<..m...p....? .j5X.0t^M...Wu.XX.....LB...a%\h.....X.`*.I#G?.....D4..`.....o.6o..j@.l....9:..z;...:8`X.. L......l.8....D...Fcm....9.U.....$.V..}.t....t_3Q.....mF(....O,.q&...7.W.:.2.u..s.I....)...;.!.s...:.N;t.n.q.U....L..N.....Sb..7.G.m9..6m.4&.7...

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Category:	dropped
Size (bytes):	52
Entropy (8bit):	4.834679141051596
Encrypted:	false
SSDEEP:	3:oFj4I5vpm4USfk:oJ5bs
MD5:	BEFDE95C6C7C8C9BDFE863149B26AB14
SHA1:	F6CBC96089452705C285F5965E6308B560618EE8
SHA-256:	22780202C2CAB65D2D337AAFFAB1F8648957B7C2408A6F63CEA5169B4F6566D3
SHA-512:	1D6D3907EA62CA0433DC103AA4380422E6203D0259EF8E82AA6C3C65DBA2654C7636202799FC3EC9678E5DDD2492615ACE991C84225921D694490F3737204497
Malicious:	false
Preview:	C:\Program Files (x86)\Java\jre-1.8..1713933943801..

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6164

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2802181369135373
Encrypted:	false
SSDEEP:	96:5wGrsC8Gz4WHx4IK6/QwRkggv6hST12HG1bowOF:5ws8Gz4WHx456Bgvj0HGd
MD5:	5CB42D5691932248F210CCBCD7CD404D
SHA1:	5EA74DBE8A3DFFD6DFD3E1658F27213C043A7561
SHA-256:	C3C95C3CCFFD4D0D2CC3630C4C51BA373DF8603BBCCDDD729AD280590AEFC7EE
SHA-512:	934E1382EC313F7F559FC30D0992C8B73CCD45C9AAD33FE7FDB7E4C6A7EB9DC41A9F41419B7D04F9EF43E961892D29D4965589A1DFAA493C85E5ADD3B861CE3C
Malicious:	false
Preview:	.........9.......{...... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6644

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.3010864805126785
Encrypted:	false
SSDEEP:	96:hwlrM78GwZ+4r6VjjHGQMvOhfSTVmHE19o2/F:hwA8GwZ+4r6HMv2a0HEr
MD5:	56F8AB2D2D6DF67243500EE7C4C1AD70
SHA1:	BA9CBBCC83FA9BE545D913AA61DB6E033A9E97B0
SHA-256:	6EE28E5008AF1267A16B3854FBEECEC0D93FE5DB81622BD73BFED23C9FD8FA77
SHA-512:	5AAAA15D70EA6A05756522136C1FD91228F815311FCE9CC8B0E438685B070F7D8A4CD3C42526C7CAABBCCD2CED5348204D89729B95A4912EBF6D669ACCE04172
Malicious:	false
Preview:	.........9............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..%.......@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications.. .......8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6716

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2812390365477075
Encrypted:	false
SSDEEP:	96:qLUre8D38GWrkCGg6y+m76qkjiZUdST12HG1bowOF:qLW8GWrkCGg6yHkXM0HGd
MD5:	4BC72ABA11DC3BA822E4630D4991FB99
SHA1:	B5D40F2FD16107D91E6242DFC17BA357D9BC71F3
SHA-256:	812F3DC83461F1F0EE9A24DF1981D91C466D7FC245299B576B4A96C0A5EEF465
SHA-512:	A40CF39894416E893E043BF793CA24BE6454D0231EF631DD05E99F89D702DD031F6881BB9A5546ABB4BF7AEBDE0981C9F5FCC20AD689F8C497459B3D3ED959B7
Malicious:	false
Preview:	.........9.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7260

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2795169993912645
Encrypted:	false
SSDEEP:	96:PwBr3H8G8c6a4IK6QxrwVscQsFSTy2HG1bowOF0:Pwt8G8c6a456QGQtvHGdx
MD5:	CED4E6F86CCACBADE629D68123782005
SHA1:	E4BBB98E07E7FAFEE512B571713799A29A3E3D57
SHA-256:	9E679CF089F1A902E5A7C165B4EE1824F67CC543ACCD72EAD3C1FA7B5A8BB3C0
SHA-512:	F65DD3A5AB4EB4C26597FBAF15B9FADDBA13E2021A11E460917ECB9F021D7EB4122B3B82C162FDF02F3284CCD62EAD2D8B03BBC95092149B8BA2507430171F30
Malicious:	false
Preview:	.........9......m....... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7428

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2809062153785948
Encrypted:	false
SSDEEP:	96:9wdrVKyt8GaCv/h4IK6jOwuz0gkYlFfSTy2HG1bowOF:9w38Gjv/h456OkYlkvHGd
MD5:	4E0AD2044F437F0F6BC2F75EA9B1E0D1
SHA1:	6CED3CCC312AFDDF2F8350C4A79DF20F9FECA853
SHA-256:	E4A3C6F2F16E8ECF022E302504EB762D0EB717AC29D56A7787E9A0F1A3695EC8
SHA-512:	D2D268CA5372425390EBAE5DB25FB705E6CCEB89CB2BB1174EB66B61240ED53485B089F97867D6AD6BF45926EB3A1CBA3172DE442F3144FD9C0857D5A580959F
Malicious:	false
Preview:	.........9........#..... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7720

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2800476566265535
Encrypted:	false
SSDEEP:	96:TwCr3228Gja+Us4IK6NqwwQRQAYUBXSTy2HG1bowOFe:TwKh8Gja+Us4560AYfvHGdv
MD5:	88F23478711E5BA7D1A80614B199BAEB
SHA1:	3A2E090A9DF6B4AF770F1BD29006DD9C9A839B8E
SHA-256:	E0F81C7A79F94C421F2C9D03B630E2E6A28BDC1C5FEDDF9FB92B2EFB98FDC39E
SHA-512:	DF8FC46CA35E21FBEC20BE9E56CBCF18CFFC48BE1725BCB902D8FA6826A47F601DD62B6D75A7B8E334284A831DC7F7C50B2AA5F1A222F976930AB63CB5EC9FD9
Malicious:	false
Preview:	.........9......I.(..... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7852

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
File Type:	data
Category:	dropped
Size (bytes):	65536
Entropy (8bit):	1.2929590989189106
Encrypted:	false
SSDEEP:	96:nwGrEp8Gdq0X4IK63OwzgowNpvSTdmuHG1bowJmd:nwb8Gdq0X456yoggVHGd
MD5:	714D8AC8CACCD4FCFD6BE49E95CFE0D1
SHA1:	016ABD930224DC3EA6DAB326ECC03946458D5A3D
SHA-256:	F41273F04F6D2D3B5D66176D512D4632E47ECEFDE323EB8AD276020F48E88964
SHA-512:	421A303EA80A0DDADEBCDFB76F4497B4CFD5C70268454485ED2109440507835B2922CE98D34E9E803D3CD4C89CCEAF22A983571FAE5D17BE6B42E6E94E056BEC
Malicious:	false
Preview:	........`9......'....... .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..........@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	65702
Entropy (8bit):	7.9559843386873546
Encrypted:	false
SSDEEP:	1536:sobZKi+D2XJ1BvxVqflObfGLKw5+lqSwbGGxVnjmIQUXt/Z:fMi/VvxwflpPxPRnag9/Z
MD5:	0D46EA03546BC6A9760D3EF9F15E84E7
SHA1:	3EE2E6F7CCF50B4BE839D71376BA5FEA8DDE8ACD
SHA-256:	6DA5B5CC7E2E2F07562156216D39AA49ED6FA30273B7669605EF78E4DC1BE367
SHA-512:	E0A5D48B6B98AE045776E17EB60A51896E4417B6E5017CB396B2BE96B6B3B490A631DAC94025BF33497C7E41173ACC6EE0432588FAF2D2011BB15B5A1BD10A02
Malicious:	true
Preview:	PK........w..X................kingDavid/k.class.9.\|...3o.o.\|..%@...Bb.>..@8.I@..!\KX.B...&.......(bmk[.U...X..w........z.....5.....l .W~..c..g..s_=v....6..1.i... ....5-.wD7.n.@.X......9.........@...A..f...B...t.?.3..U...Z."d.<.@....iq..8C...$..?...n...r.<~f#...<.P.C..W..w;.N.<..N_(@d.).Sw....}........w@.\^7.......u.$.@..v....?.r.H.I..p.]A......'.u3..... .g..Ng...i./.!&.\....qKN=.3@...\".L...n.<.......gvb......D.?.....O...]...H.`..%...\....\|.<....).w<N.."....i..+...\N/+.n.........W.....$.....A.4...!.x.........r....0...r......u.].,....C..Jz.R#Y./.M.{<AbX...'.?.2.v...")gd. .d..K.n....{.c..$GHQ$..z<./2.y.......].R...E(n.SM.$.......TV0..{..&.`........~A..'.P.7...E.../.Z...3k..;...XS.D+EQ9.>1<..m...p....? .j5X.0t^M...Wu.XX.....LB...a%\h.....X.`*.I#G?.....D4..`.....o.6o..j@.l....9:..z;...:8`X.. L......l.8....D...Fcm....9.U.....$.V..}.t....t_3Q.....mF(....O,.q&...7.W.:.2.u..s.I....)...;.!.s...:.N;t.n.q.U....L..N.....Sb..7.G.m9..6m.4&.7...

C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar

Download File

Process:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
File Type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Category:	dropped
Size (bytes):	65702
Entropy (8bit):	7.9559843386873546
Encrypted:	false
SSDEEP:	1536:sobZKi+D2XJ1BvxVqflObfGLKw5+lqSwbGGxVnjmIQUXt/Z:fMi/VvxwflpPxPRnag9/Z
MD5:	0D46EA03546BC6A9760D3EF9F15E84E7
SHA1:	3EE2E6F7CCF50B4BE839D71376BA5FEA8DDE8ACD
SHA-256:	6DA5B5CC7E2E2F07562156216D39AA49ED6FA30273B7669605EF78E4DC1BE367
SHA-512:	E0A5D48B6B98AE045776E17EB60A51896E4417B6E5017CB396B2BE96B6B3B490A631DAC94025BF33497C7E41173ACC6EE0432588FAF2D2011BB15B5A1BD10A02
Malicious:	true
Preview:	PK........w..X................kingDavid/k.class.9.\|...3o.o.\|..%@...Bb.>..@8.I@..!\KX.B...&.......(bmk[.U...X..w........z.....5.....l .W~..c..g..s_=v....6..1.i... ....5-.wD7.n.@.X......9.........@...A..f...B...t.?.3..U...Z."d.<.@....iq..8C...$..?...n...r.<~f#...<.P.C..W..w;.N.<..N_(@d.).Sw....}........w@.\^7.......u.$.@..v....?.r.H.I..p.]A......'.u3..... .g..Ng...i./.!&.\....qKN=.3@...\".L...n.<.......gvb......D.?.....O...]...H.`..%...\....\|.<....).w<N.."....i..+...\N/+.n.........W.....$.....A.4...!.x.........r....0...r......u.].,....C..Jz.R#Y./.M.{<AbX...'.?.2.v...")gd. .d..K.n....{.c..$GHQ$..z<./2.y.......].R...E(n.SM.$.......TV0..{..&.`........~A..'.P.7...E.../.Z...3k..;...XS.D+EQ9.>1<..m...p....? .j5X.0t^M...Wu.XX.....LB...a%\h.....X.`*.I#G?.....D4..`.....o.6o..j@.l....9:..z;...:8`X.. L......l.8....D...Fcm....9.U.....$.V..}.t....t_3Q.....mF(....O,.q&...7.W.:.2.u..s.I....)...;.!.s...:.N;t.n.q.U....L..N.....Sb..7.G.m9..6m.4&.7...

C:\cmdlinestart.log

Download File

Process:	C:\Windows\SysWOW64\cmd.exe
File Type:	ASCII text, with CRLF, LF line terminators
Category:	dropped
Size (bytes):	631
Entropy (8bit):	2.276448760506967
Encrypted:	false
SSDEEP:	6:LLpG4/7s3FeFjtG22T0CgUS8F/SANtBomr3r4MEuigyDTeGQj:nphg3FeFBio8FqANtaqNi1/ZQj
MD5:	C2D33480DF68FF210A93DA4E644F45B4
SHA1:	A4C13A730A24041A31B5F8255543466C0606E431
SHA-256:	41DE3008B2F7D4F2E3007878B01BB2CCC0F5FACF7BCE5DD8DF76C17E08B19D2A
SHA-512:	7175BF3899A9B266840AEC23CCDC01BCD887D358FC4EDBF4CA22498128EB29C2807F7CA4EDFD9FD3A1992EE118DB31DA9594BB219A1FC64F264B682529D18215
Malicious:	true
Yara Hits:	Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: C:\cmdlinestart.log, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: C:\cmdlinestart.log, Author: ditekSHen
Preview:	.################################################.# #.# ## # # ## ### ### ## ### #.# # # # # # # # # # # # # #.# ### # # ### # # # ## # #.# # # ### ### # # # ### # # ### #.# #.# Obfuscation by Allatori Obfuscator v8.7 DEMO #.# #.# http://www.allatori.com #.# #.################################################...Inside main method..Inside constructor..

Static File Info

General

File type:	Zip archive data, at least v2.0 to extract, compression method=deflate
Entropy (8bit):	7.9559843386873546
TrID:	Java Archive (13504/1) 62.80% ZIP compressed archive (8000/1) 37.20%
File name:	RICHIESTA-QUOTAZIONI.jar
File size:	65'702 bytes
MD5:	0d46ea03546bc6a9760d3ef9f15e84e7
SHA1:	3ee2e6f7ccf50b4be839d71376ba5fea8dde8acd
SHA256:	6da5b5cc7e2e2f07562156216d39aa49ed6fa30273b7669605ef78e4dc1be367
SHA512:	e0a5d48b6b98ae045776e17eb60a51896e4417b6e5017cb396b2be96b6b3b490a631dac94025bf33497c7e41173acc6ee0432588faf2d2011bb15b5a1bd10a02
SSDEEP:	1536:sobZKi+D2XJ1BvxVqflObfGLKw5+lqSwbGGxVnjmIQUXt/Z:fMi/VvxwflpPxPRnag9/Z
TLSH:	0353E168FDFDD136D21A40F64434422AE8B8CCAE55CEB19A0D9859D7CC70DDAAB0774C
File Content Preview:	PK........w..X................kingDavid/k.class.9.\|...3o.o.\|..%@...Bb.>..@8.I@..!\KX.B...&........(bmk[.U...X..w.........z.....5.....l .W~...c...g..s_=v....6..1.i... ....5-.wD7.n.@.X.......9..........@....A...f...B...t.?.3..U...Z."d.<.@....iq..8C...$..?..

File Icon


Icon Hash:	d08c8e8ea2868a54

Network Behavior

Snort IDS Alerts

Timestamp	Protocol	SID	Message	Source Port	Dest Port	Source IP	Dest IP
04/24/24-06:47:10.647172	TCP	2030358	ET TROJAN STRRAT CnC Checkin	49730	4781	192.168.2.4	107.172.148.197

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 06:45:13.275134087 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:13.492863894 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:13.492973089 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:18.865320921 CEST	49731	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:45:19.028649092 CEST	80	49731	208.95.112.1	192.168.2.4
Apr 24, 2024 06:45:19.032625914 CEST	49731	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:45:19.033124924 CEST	49731	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:45:19.194868088 CEST	80	49731	208.95.112.1	192.168.2.4
Apr 24, 2024 06:45:19.194943905 CEST	49731	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:45:19.196633101 CEST	49731	80	192.168.2.4	208.95.112.1
Apr 24, 2024 06:45:19.196928978 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:19.357265949 CEST	80	49731	208.95.112.1	192.168.2.4
Apr 24, 2024 06:45:19.453479052 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:19.453552961 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:19.713606119 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:24.230484009 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:24.497981071 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:24.500595093 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:24.760771036 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:29.234004974 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:29.608356953 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:29.608489037 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:29.916351080 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:34.233644962 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:34.495820999 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:34.496530056 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:34.760921001 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:39.253556967 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:39.513835907 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:39.513932943 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:39.779949903 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:44.482928038 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:44.746915102 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:44.747060061 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:45.010004044 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:49.492558002 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:49.749700069 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:49.749784946 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:50.010823011 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:54.491256952 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:54.757467031 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:54.757574081 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:55.018445015 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:59.491357088 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:45:59.757329941 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:45:59.757437944 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:00.020431042 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:04.506970882 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:04.780580997 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:04.780672073 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:05.043565035 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:09.506906986 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:09.771460056 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:09.771538019 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:10.031327963 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:14.522526979 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:14.779325962 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:14.779393911 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:15.055336952 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:19.522500038 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:19.783488035 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:19.783602953 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:20.049071074 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:24.538245916 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:24.797614098 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:24.798676968 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:25.059663057 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:29.553812981 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:29.818741083 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:29.818984985 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:30.081176043 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:34.553850889 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:34.815314054 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:34.815593958 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:35.080410004 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:39.554276943 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:39.809283018 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:39.809497118 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:40.064038038 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:44.569499969 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:44.838530064 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:44.838764906 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:45.101454973 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:49.569453955 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:49.828901052 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:49.829041004 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:50.091857910 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:55.377851963 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:55.634308100 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:46:55.634423018 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:46:55.896193027 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:47:00.369498968 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:47:00.630219936 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:47:00.630538940 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:47:00.893136978 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:47:05.366796017 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:47:05.632882118 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:47:05.633085012 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:47:05.895028114 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:47:10.382129908 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:47:10.646862030 CEST	4781	49730	107.172.148.197	192.168.2.4
Apr 24, 2024 06:47:10.647171974 CEST	49730	4781	192.168.2.4	107.172.148.197
Apr 24, 2024 06:47:10.911396027 CEST	4781	49730	107.172.148.197	192.168.2.4

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 24, 2024 06:45:12.528367996 CEST	63011	53	192.168.2.4	1.1.1.1
Apr 24, 2024 06:45:13.263686895 CEST	53	63011	1.1.1.1	192.168.2.4
Apr 24, 2024 06:45:18.705950022 CEST	60700	53	192.168.2.4	1.1.1.1
Apr 24, 2024 06:45:18.860886097 CEST	53	60700	1.1.1.1	192.168.2.4

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class	DNS over HTTPS
Apr 24, 2024 06:45:12.528367996 CEST	192.168.2.4	1.1.1.1	0x3f35	Standard query (0)	elastsolek21.duckdns.org	A (IP address)	IN (0x0001)	false
Apr 24, 2024 06:45:18.705950022 CEST	192.168.2.4	1.1.1.1	0xdffa	Standard query (0)	ip-api.com	A (IP address)	IN (0x0001)	false

DNS Answers

Timestamp	Source IP	Dest IP	Trans ID	Reply Code	Name	CName	Address	Type	Class	DNS over HTTPS
Apr 24, 2024 06:45:13.263686895 CEST	1.1.1.1	192.168.2.4	0x3f35	No error (0)	elastsolek21.duckdns.org		107.172.148.197	A (IP address)	IN (0x0001)	false
Apr 24, 2024 06:45:18.860886097 CEST	1.1.1.1	192.168.2.4	0xdffa	No error (0)	ip-api.com		208.95.112.1	A (IP address)	IN (0x0001)	false

HTTP Request Dependency Graph

ip-api.com

HTTP Packets

Session ID	Source IP	Source Port	Destination IP	Destination Port	PID	Process
0	192.168.2.4	49731	208.95.112.1	80	6716	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Timestamp	Bytes transferred	Direction	Data
Apr 24, 2024 06:45:19.033124924 CEST	188	OUT	GET /json/ HTTP/1.1 Host: ip-api.com User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36 Connection: close
Apr 24, 2024 06:45:19.194868088 CEST	456	IN	HTTP/1.1 200 OK Date: Wed, 24 Apr 2024 04:45:18 GMT Content-Type: application/json; charset=utf-8 Content-Length: 279 Access-Control-Allow-Origin: * X-Ttl: 60 X-Rl: 44 Data Raw: 7b 22 73 74 61 74 75 73 22 3a 22 73 75 63 63 65 73 73 22 2c 22 63 6f 75 6e 74 72 79 22 3a 22 55 6e 69 74 65 64 20 53 74 61 74 65 73 22 2c 22 63 6f 75 6e 74 72 79 43 6f 64 65 22 3a 22 55 53 22 2c 22 72 65 67 69 6f 6e 22 3a 22 4e 56 22 2c 22 72 65 67 69 6f 6e 4e 61 6d 65 22 3a 22 4e 65 76 61 64 61 22 2c 22 63 69 74 79 22 3a 22 4c 61 73 20 56 65 67 61 73 22 2c 22 7a 69 70 22 3a 22 38 39 31 30 31 22 2c 22 6c 61 74 22 3a 33 36 2e 31 36 38 35 2c 22 6c 6f 6e 22 3a 2d 31 31 35 2e 31 31 36 34 2c 22 74 69 6d 65 7a 6f 6e 65 22 3a 22 41 6d 65 72 69 63 61 2f 4c 6f 73 5f 41 6e 67 65 6c 65 73 22 2c 22 69 73 70 22 3a 22 41 53 31 37 34 22 2c 22 6f 72 67 22 3a 22 22 2c 22 61 73 22 3a 22 41 53 31 37 34 20 43 6f 67 65 6e 74 20 43 6f 6d 6d 75 6e 69 63 61 74 69 6f 6e 73 22 2c 22 71 75 65 72 79 22 3a 22 31 35 34 2e 31 36 2e 31 30 35 2e 33 36 22 7d Data Ascii: {"status":"success","country":"United States","countryCode":"US","region":"NV","regionName":"Nevada","city":"Las Vegas","zip":"89101","lat":36.1685,"lon":-115.1164,"timezone":"America/Los_Angeles","isp":"AS174","org":"","as":"AS174 Cogent Communications","query":"154.16.105.36"}

Target ID:	0
Start time:	06:45:08
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"" >> C:\cmdlinestart.log 2>&1
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	1
Start time:	06:45:08
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	2
Start time:	06:45:08
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0x330000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000002.00000002.1782413352.000000000A1E5000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000002.00000002.1782413352.000000000A1F8000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	3
Start time:	06:45:09
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\icacls.exe
Wow64 process (32bit):	true
Commandline:	C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Imagebase:	0x310000
File size:	29'696 bytes
MD5 hash:	2E49585E4E08565F52090B144062F97E
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	4
Start time:	06:45:09
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	5
Start time:	06:45:10
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	6
Start time:	06:45:10
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	7
Start time:	06:45:10
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\java.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0x330000
File size:	257'664 bytes
MD5 hash:	9DAA53BAB2ECB33DC0D9CA51552701FA
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000007.00000002.2984565478.0000000009963000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000007.00000002.2984565478.0000000009994000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000007.00000002.2984565478.0000000009968000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Reputation:	moderate
Has exited:	false

Show Windows behavior

Target ID:	8
Start time:	06:45:10
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	false

Show Windows behavior

Target ID:	9
Start time:	06:45:10
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\schtasks.exe
Wow64 process (32bit):	true
Commandline:	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0x7ff7699e0000
File size:	187'904 bytes
MD5 hash:	48C2FE20575769DE916F48EF0676A965
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	10
Start time:	06:45:12
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	11
Start time:	06:45:12
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high
Has exited:	true

Show Windows behavior

Target ID:	12
Start time:	06:45:12
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
Imagebase:	0xc0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate
Has exited:	true

Show Windows behavior

Target ID:	13
Start time:	06:45:12
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0xf40000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 0000000D.00000002.2985865794.0000000009968000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000000D.00000002.2985865794.0000000009993000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000000D.00000002.2985865794.0000000009962000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	14
Start time:	06:45:13
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	15
Start time:	06:45:13
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	16
Start time:	06:45:13
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
Imagebase:	0xc0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	17
Start time:	06:45:14
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c "wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	18
Start time:	06:45:14
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	19
Start time:	06:45:14
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
Imagebase:	0xc0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	20
Start time:	06:45:16
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\cmd.exe
Wow64 process (32bit):	true
Commandline:	cmd.exe /c "wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list"
Imagebase:	0x240000
File size:	236'544 bytes
MD5 hash:	D0FCE3AFA6AA1D58CE9FA336CC2B675B
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	21
Start time:	06:45:16
Start date:	24/04/2024
Path:	C:\Windows\System32\conhost.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Imagebase:	0x7ff7699e0000
File size:	862'208 bytes
MD5 hash:	0D698AF330FD17BEE3BF90011D49251D
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	22
Start time:	06:45:16
Start date:	24/04/2024
Path:	C:\Windows\SysWOW64\wbem\WMIC.exe
Wow64 process (32bit):	true
Commandline:	wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
Imagebase:	0xc0000
File size:	427'008 bytes
MD5 hash:	E2DE6500DE1148C7F6027AD50AC8B891
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Has exited:	true

Show Windows behavior

Target ID:	23
Start time:	06:45:18
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0xf40000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000017.00000002.2985412359.000000000A593000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000017.00000002.2985412359.000000000A562000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000017.00000002.2985412359.000000000A568000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	24
Start time:	06:45:26
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0xf40000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000018.00000002.2985944545.0000000009B62000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000018.00000002.2985944545.0000000009B93000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000018.00000002.2985944545.0000000009B68000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
Has exited:	false

Show Windows behavior

Target ID:	28
Start time:	06:45:34
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0xf40000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000001C.00000002.2985487072.000000000A162000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 0000001C.00000002.2985487072.000000000A168000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000001C.00000002.2985487072.000000000A193000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	false

Show Windows behavior

Target ID:	29
Start time:	06:45:43
Start date:	24/04/2024
Path:	C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe
Wow64 process (32bit):	true
Commandline:	"C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar"
Imagebase:	0xf40000
File size:	257'664 bytes
MD5 hash:	6E0F4F812AE02FBCB744A929E74A04B8
Has elevated privileges:	false
Has administrator privileges:	false
Programmed in:	C, C++ or other language
Yara matches:	Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 0000001D.00000002.2985937389.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000001D.00000002.2985937389.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 0000001D.00000002.2985937389.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
Has exited:	false

Show Windows behavior

Execution Graph

Execution Coverage:	0.8%
Dynamic/Decrypted Code Coverage:	100%
Signature Coverage:	0%
Total number of Nodes:	4
Total number of Limit Nodes:	0

Executed Functions

Function 02A00672 Relevance: 1.6, APIs: 1, Instructions: 57
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

APIs

KiUserExceptionDispatcher.NTDLL ref: 02A006D5

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_java.jbxd

Similarity

API ID: DispatcherExceptionUser
String ID:
API String ID: 6842923-0
Opcode ID: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction ID: a0350251371b9050fe3b2d0eb456e8e2666441addc44d48895abc0f298e72ab6
Opcode Fuzzy Hash: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction Fuzzy Hash: 531179B290122ACFCF24CF98C4C56ADB3B1FB99314F564529DC69A3381DB346920CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02A0D8F7 Relevance: .2, Instructions: 223
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 48ac89e44cdc785fcfbf36f1b9573c8dbb58949526347b7edb1ebf10af54e13b
Instruction ID: 572d37c1a70bf6e10376b7609b479df3a83873ceb2b347e014dd5a6160399cc0
Opcode Fuzzy Hash: 48ac89e44cdc785fcfbf36f1b9573c8dbb58949526347b7edb1ebf10af54e13b
Instruction Fuzzy Hash: E5A16A72A04A01DFDB18CFA4D5D4BAAFBB1FF49714F08819DD91A5B381CB74A884CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A0D8E0 Relevance: .2, Instructions: 160
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 89d1cd326f960b672a2ffdff9c5b997fc857309b92cddabb1b27597a484cff0b
Instruction ID: ee1dc24cc140d19982675a36ea4b4da851cd7a8bf1542879daee0e67535cf8d3
Opcode Fuzzy Hash: 89d1cd326f960b672a2ffdff9c5b997fc857309b92cddabb1b27597a484cff0b
Instruction Fuzzy Hash: 4F61BC72A00A01DFDB18CF64D5D4BAAFBB1FF49718F04859CD91A4B381CB74A880CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02A14CCD Relevance: .0, Instructions: 22
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e5ca3df9ccc8f2a3b563d080a2e6c98b5252f3d2c81786f139b7706656b47422
Instruction ID: 4c205073402c316c98ddea9db9c2f842921c9dab38def888f4b870df15bcd29e
Opcode Fuzzy Hash: e5ca3df9ccc8f2a3b563d080a2e6c98b5252f3d2c81786f139b7706656b47422
Instruction Fuzzy Hash: F0F0DFB5A00A06EBEB15CF60C0447EAF7B4FB88708F04420AD42C53350C778B429CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02A14B78 Relevance: .0, Instructions: 21
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: de46456035a5d6fd89c1760aaa25a8e718520c3f90ada763f5fd216d84717030
Instruction ID: 6329e48dcc303050d7c8abbaea948383827ea492ab6d8b5bd96e8da813f0de60
Opcode Fuzzy Hash: de46456035a5d6fd89c1760aaa25a8e718520c3f90ada763f5fd216d84717030
Instruction Fuzzy Hash: 46F07FB5A00A06EBDB158F61C0447DAFBB4BB88718F14421AD52C57350D7B8B4658BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02A0EC1C Relevance: .0, Instructions: 20
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e79f3188a33f7be3d7502e7bb2003c470869671734328b8297605f8b39b0bd3b
Instruction ID: 9ce20dd0c69fe9859302cf1744d638fd2ee0d8094b6650d0d890e8c15913299f
Opcode Fuzzy Hash: e79f3188a33f7be3d7502e7bb2003c470869671734328b8297605f8b39b0bd3b
Instruction Fuzzy Hash: 5DF09BB6A00A06EBDB29CF61C4447DAFBB4BB88718F14421AC52C67750D7B8B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02A0DA35 Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 799d642be5e6bbc0c362be065ea1bf38d5998bc466e347fd2c7a146abcf77c72
Instruction ID: 04df2da13f62821f8fb43ca19d9c6872b7bc833cd390a7dfd0369ecbb724c9e5
Opcode Fuzzy Hash: 799d642be5e6bbc0c362be065ea1bf38d5998bc466e347fd2c7a146abcf77c72
Instruction Fuzzy Hash: A6F0C2B6D00A06ABDB248F61C0447DAFBB5BB44714F14421AC52C63350D778B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02A149AA Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 706b7f1116df264e4d94467c9187c08d915f4b8c4512a788905cfcb07920269a
Instruction ID: 98aa16f1bf63f72616b0b50f848d9fc7d2a53c83695250c397adfd425e4be66a
Opcode Fuzzy Hash: 706b7f1116df264e4d94467c9187c08d915f4b8c4512a788905cfcb07920269a
Instruction Fuzzy Hash: 28F0CAB6D00A06ABDB248FA1C1447CAFBB4BB88714F14421AC52C67360E7B8B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02A0DE6E Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8cc09b4f23fca35f56e079bae9aa8511d3c11657f885a29e67c778a506f09eab
Instruction ID: 6c90e872b4493e3ea06e858bba5c28033ce765b802a68ff4c499a870e04be2da
Opcode Fuzzy Hash: 8cc09b4f23fca35f56e079bae9aa8511d3c11657f885a29e67c778a506f09eab
Instruction Fuzzy Hash: 93F0CAB6D00A06EBDB248F61C0447CAFBB5BB98718F15421AC52C63760D7B8B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02A13C76 Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 90f0dc072ddb96b0c98ff3356e46d4ca7b4200b81af359b619f289952cad630c
Instruction ID: e83612acdf624d829455008bcb4246d6bd1e225f023ad85454db55328e5c052e
Opcode Fuzzy Hash: 90f0dc072ddb96b0c98ff3356e46d4ca7b4200b81af359b619f289952cad630c
Instruction Fuzzy Hash: 29F0C2B6D00A06ABDB248F61C0447CAFBB4BB44714F14421AC52C67350D778B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02A145E9 Relevance: .0, Instructions: 18
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5831ecf33ff31b76036c997e6c28c51baa8d7898c493b259f519b0152f4f4ea7
Instruction ID: fd7abba3b5784dabd6743d7719a01fae497c67d25df5e307b769367d5790f00c
Opcode Fuzzy Hash: 5831ecf33ff31b76036c997e6c28c51baa8d7898c493b259f519b0152f4f4ea7
Instruction Fuzzy Hash: 9DF0C2B6D00A06ABDB248F61C0447CAFBB5BB44714F14421AC52C63350D7B8B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02A14EF4 Relevance: .0, Instructions: 17
COMMON

Download Yara Rule

Control-flow Graph

Executed
Not Executed

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A02000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A02000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a02000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f892c5a185726e3b5d2e23d3372ff9a8ef850e70f78ba90433a40236f29fef0e
Instruction ID: 495e23ffafdffacc617a7fb5a23bbe26b4378e455d7bc5944f8ab350309e493d
Opcode Fuzzy Hash: f892c5a185726e3b5d2e23d3372ff9a8ef850e70f78ba90433a40236f29fef0e
Instruction Fuzzy Hash: D8F0C2B5D00A06ABDB24CF61C14438AF7B4BB44B14F14421AC52C63750D778B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 02A003C0 Relevance: .1, Instructions: 70COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002A00000.00000040.00000800.00020000.00000000.sdmp, Offset: 02A00000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2a00000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction ID: cdfe0828d532cf44098dabf2eef600e0530a87869f772838685731794d94102a
Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
Instruction Fuzzy Hash: 6C2126BA5082568FDB358F199C803DAB7E5FB08314F21482EDECDE7710D7306A898B95

Uniqueness

Uniqueness Score: -1.00%

Function 02AADAE9 Relevance: .0, Instructions: 47COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000002.00000002.1775568399.0000000002AA8000.00000040.00000800.00020000.00000000.sdmp, Offset: 02AA8000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_2_2_2aa8000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 35cfca38a64c3ff3937ba3edcbc8bb1544487143f9c1f7a554a90dce2bed6829
Instruction ID: d80f39aca5c87c5e874190d0985c3c095158185e79a5596655d3cef11b0c67d0
Opcode Fuzzy Hash: 35cfca38a64c3ff3937ba3edcbc8bb1544487143f9c1f7a554a90dce2bed6829
Instruction Fuzzy Hash: FCF01EA240E3C18FC3039B348C366813F704E63205B2E45EBD081DF0E3E25A4A6AD322

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: java.exePID: 6716, Parent PID: 6644COMMON

Executed Functions

Function 022A9712 Relevance: .3, Instructions: 315COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.00000000022A4000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_22a4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9e10ac6faf249f924c42349b1cb8745cc85513087e574774d330d4bcd2a78436
Instruction ID: c1f5bfbeecf6ffe8a08513d2d395e2d7125bf3c9b6668d14755e1d1274ba1992
Opcode Fuzzy Hash: 9e10ac6faf249f924c42349b1cb8745cc85513087e574774d330d4bcd2a78436
Instruction Fuzzy Hash: F6D14A71A183418FC714DF59C09062ABBE2FB89314F65C9AEE4899B759C735E882CB81

Uniqueness

Uniqueness Score: -1.00%

Function 0220D9A5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 99267b96229c8c3a378f3c3bf27ba2444b8b100e038d4f167267303fe8e20f3c
Instruction ID: 99d9e903ce9b00509fe50dcedb687b1018b0fe03ace7e206172528fb61271189
Opcode Fuzzy Hash: 99267b96229c8c3a378f3c3bf27ba2444b8b100e038d4f167267303fe8e20f3c
Instruction Fuzzy Hash: FD817871A266029FDB18CFE4C5D4BA9F7B1FF49314F04819DD81A4B38ACB74A884CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02200672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2200000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction ID: 16faee9635f3aac885dac65d05b91ce86adbcec5579c610247f48bcf2d4e399c
Opcode Fuzzy Hash: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction Fuzzy Hash: C1117CB291122BCFDF14CFC8C4855EDB3B1FB89314B554529DC69A3386D3346A20CB81

Uniqueness

Uniqueness Score: -1.00%

Function 02200722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002200000.00000040.00000800.00020000.00000000.sdmp, Offset: 02200000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2200000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction ID: a8a72457d1fe803b80cc98486968622bc7638faf398409fec8806a07e192d88b
Opcode Fuzzy Hash: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction Fuzzy Hash: ABF01C76C0012ADBDB14DF88C4811EDB771EB04218B198496DC2837296D3326E61CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02214B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5022083279ba92975487d9f3858008055caabfe0df9312cd094856b835221dc5
Instruction ID: 2dc8cced6dfe4be31ed76ed6682320cac7e291ecc82f5d10391f4a1b6455dc4e
Opcode Fuzzy Hash: 5022083279ba92975487d9f3858008055caabfe0df9312cd094856b835221dc5
Instruction Fuzzy Hash: 57F07FB5A00A06EBDB158F61C0447DAFBB4BB88718F14421AD52C57350D778B4658BC1

Uniqueness

Uniqueness Score: -1.00%

Function 0220EC1C Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab9428b7e7426191e076e7f65b333d881c122b71aa2b305495fb84622ba70651
Instruction ID: 6ed86f34b786e754860bb3dedd36bb9c745f1776bab14065d78fe9c8db7cdc3d
Opcode Fuzzy Hash: ab9428b7e7426191e076e7f65b333d881c122b71aa2b305495fb84622ba70651
Instruction Fuzzy Hash: 10F09BB6A10A06EBDB29CF61C4447DAFBB4BB88718F14421AC52C67750D778B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02216495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 91d95782f1f6c57a8701ebefd52579540f2efed0ccc584ea97d8701369dd3627
Instruction ID: 9dc882174cee7ae736576c945990e503595724343166c26a19e98ab4a8e1dd75
Opcode Fuzzy Hash: 91d95782f1f6c57a8701ebefd52579540f2efed0ccc584ea97d8701369dd3627
Instruction Fuzzy Hash: 2AF09BB6A00A16EBDB25CF65C0447CAFBB4BB88714F14421AC52C67350D778B46ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0220DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a2d70bec46f424126eff0d4e608f4ed335e6a7acb1a9d4e5df9cdd64cce69865
Instruction ID: 24b211323523453e06b92007518dde63ba7ebff89f5e065a96b565ffebd7254f
Opcode Fuzzy Hash: a2d70bec46f424126eff0d4e608f4ed335e6a7acb1a9d4e5df9cdd64cce69865
Instruction Fuzzy Hash: 8CF0C2B6D00A06ABDB248FA1C0447DAFBB5BB44714F14421AC52C63350D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 022149AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 158ac13a90a690ae7520f6fbaf7ec67de168b682cfdf154f259bcafb511f24d2
Instruction ID: 755b016b4cb03ae46492d23667f5c87d29acdfc7e615d208e75064231aab9ad2
Opcode Fuzzy Hash: 158ac13a90a690ae7520f6fbaf7ec67de168b682cfdf154f259bcafb511f24d2
Instruction Fuzzy Hash: BAF0CAB6D00A06ABDB248FA1C1447CAFBB4BB88714F14421AC52C67360D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0220B407 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7f72e9b12f4eaf2b724a83b70eaa06d9bd255b3937a781446be7a174f549054e
Instruction ID: e1363d1781a05d391f0c01898e6594398315b61f3548e4726625647f888a3767
Opcode Fuzzy Hash: 7f72e9b12f4eaf2b724a83b70eaa06d9bd255b3937a781446be7a174f549054e
Instruction Fuzzy Hash: FCF0CAB6D00A06EBDB248FA1C0447CAFBB4BB88718F19421AC52C63760D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02213C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3133ac400ed14356674f291b893db3aa169cf96852637a20984721007da4627e
Instruction ID: eb93c905f397eaa14a48f0d6720b5d949406d7700569c758165e491def87fc34
Opcode Fuzzy Hash: 3133ac400ed14356674f291b893db3aa169cf96852637a20984721007da4627e
Instruction Fuzzy Hash: 78F0C2B6D00A06ABDB248FA1C0447CAFBB4BB44714F14421AC52C67350D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 022145E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.0000000002202000.00000040.00000800.00020000.00000000.sdmp, Offset: 02202000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_2202000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ab54070a04bd0c8831e147d350a41b4d5c57632731afb8a0293badbc4a1a3fbb
Instruction ID: 167b2e676945470ad7b92fe1c9ffc85821a708e970afcabc847a97d4208cd983
Opcode Fuzzy Hash: ab54070a04bd0c8831e147d350a41b4d5c57632731afb8a0293badbc4a1a3fbb
Instruction Fuzzy Hash: 16F0C2B6D00A06ABEB248FA1C0447CAFBB5BB44714F14421AC52C63350D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Non-executed Functions

Function 022B38CC Relevance: .2, Instructions: 197COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000007.00000002.2974112201.00000000022A4000.00000040.00000800.00020000.00000000.sdmp, Offset: 022A4000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_7_2_22a4000_java.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3c13d2336edb3d9fa17f29b10ca558b0a8dc061b0265e1e0883f82161e793614
Instruction ID: 5cb715ea88008f228b8273d9bc54ce626f7056f5b0f888435b1483ab564f1d9e
Opcode Fuzzy Hash: 3c13d2336edb3d9fa17f29b10ca558b0a8dc061b0265e1e0883f82161e793614
Instruction Fuzzy Hash: 6A718D72924711CFC722DF68C480359B7E1FF89764F2689ADD898AB325C735E842CB81

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: javaw.exePID: 6164, Parent PID: 1044COMMON

Executed Functions

Function 0239D9A5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002392000.00000040.00000800.00020000.00000000.sdmp, Offset: 02392000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2392000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f3768c19fb29d24091b82b0ac54843f3c04768ec527f80fce7f306cc7c4dc6e9
Instruction ID: 80583cedc3ca3742ed8ec2310d11a82a5f889e18dbd7f9c9758ea0923d83187f
Opcode Fuzzy Hash: f3768c19fb29d24091b82b0ac54843f3c04768ec527f80fce7f306cc7c4dc6e9
Instruction Fuzzy Hash: C48198B1A046099FDF28EF24C595BA9F7B5FF4A314F08819DD91A4B381CB34A844CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02390672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2390000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction ID: 32e4b004c68131d36bb270781592b6dc6c623d89ef98f466a0db39b1ba54bcd0
Opcode Fuzzy Hash: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction Fuzzy Hash: 0F115BB6D0122ADFCF18CF48C4854AEB7B4FB9A324B564529DD65A3741D334A920CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02390722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002390000.00000040.00000800.00020000.00000000.sdmp, Offset: 02390000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2390000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction ID: 37a3393492935d4ddcb63c9a2e895b226b221283bff02bd2dc56488dc39ebf6f
Opcode Fuzzy Hash: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction Fuzzy Hash: 79F0A576C00229DBCF58DF48C5811ADB7B1EB46228B1A8496DC6977641D332AD62CF91

Uniqueness

Uniqueness Score: -1.00%

Function 023A4B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002392000.00000040.00000800.00020000.00000000.sdmp, Offset: 02392000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2392000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 70c54c7884d2f44908f080146cd15e48faf9cd5b53a8084e2e21bc3e043c228f
Instruction ID: 596cf66be602c5a48b4092a70347c32cb12d9265aba0ad385093959f4ada5925
Opcode Fuzzy Hash: 70c54c7884d2f44908f080146cd15e48faf9cd5b53a8084e2e21bc3e043c228f
Instruction Fuzzy Hash: 08F07FB5A00A06EBDB198F61C0047DAFBB4FB88718F14421AD42C57350D778B4658BC1

Uniqueness

Uniqueness Score: -1.00%

Function 023A6495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002392000.00000040.00000800.00020000.00000000.sdmp, Offset: 02392000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2392000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a5d259db2aa2470093f1e0241938e6ac3d3d04c378d8b981a2d416855c378161
Instruction ID: b0872d371974a4c459d14e4a288f7d1ba3d44c0f4519bf1a5f63bca506ff8a89
Opcode Fuzzy Hash: a5d259db2aa2470093f1e0241938e6ac3d3d04c378d8b981a2d416855c378161
Instruction Fuzzy Hash: 74F09BB6A00A16EBDB29CF65C0047DAFBB4BB88714F14421AC42C67350D778B46ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0239DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002392000.00000040.00000800.00020000.00000000.sdmp, Offset: 02392000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2392000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e511310287d447ae38afb6a399b25b89343e67e8691ff2fcbf3359f508f3d117
Instruction ID: 40814fe77067e6d4955515ccb02bb14beae58be4ca5d02a2608d6ad52e41901c
Opcode Fuzzy Hash: e511310287d447ae38afb6a399b25b89343e67e8691ff2fcbf3359f508f3d117
Instruction Fuzzy Hash: A5F0C2B6D00A06ABDB248F61C0047DAFBB4BB44714F14421AC42C63310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 023A49AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002392000.00000040.00000800.00020000.00000000.sdmp, Offset: 02392000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2392000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5c467bfb66aa51a699b1a18ea77fc23b3847d5d592ea13188452b7763e82fd6a
Instruction ID: 189effad6653e1bc0b6818bebd1e06cc3300a3bcfe6df0436888b44874dcda69
Opcode Fuzzy Hash: 5c467bfb66aa51a699b1a18ea77fc23b3847d5d592ea13188452b7763e82fd6a
Instruction Fuzzy Hash: 96F0CAB6D00A06ABDB248F61C1047DAFBB4BB88714F14421AC42C67320D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 023A3C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002392000.00000040.00000800.00020000.00000000.sdmp, Offset: 02392000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2392000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 282ccc2bb004569fbbaf8042ebae37045c11f382a2c672a25e3046ef5267f049
Instruction ID: a22c43eb331aa61951ea7dc90b0ff3045682863884710d5d565748ae20f6c984
Opcode Fuzzy Hash: 282ccc2bb004569fbbaf8042ebae37045c11f382a2c672a25e3046ef5267f049
Instruction Fuzzy Hash: CAF0CAB6D00A0AABDB248F61C0047DAFBB8BB88718F14421AC42C67320D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 023A45E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000000D.00000002.2974304669.0000000002392000.00000040.00000800.00020000.00000000.sdmp, Offset: 02392000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_13_2_2392000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c8825eb2b2a91265a4df8e01e7c8f36a9d7f436ad1f063a481a49261bbb1abe8
Instruction ID: 3e0cbad0ba2174939277cc85e71c4f66a6556f4e1832195be180747d68199ad4
Opcode Fuzzy Hash: c8825eb2b2a91265a4df8e01e7c8f36a9d7f436ad1f063a481a49261bbb1abe8
Instruction Fuzzy Hash: 59F0C2B6D00A06ABDB248F61C0047DAFBB4BB44714F14421AC52C63310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: javaw.exePID: 7260, Parent PID: 2580COMMON

Executed Functions

Function 02DBD9A5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 8582853a4791a70405f04ed37918b54f63078cb48b8c5762214f6cfa3004ea87
Instruction ID: 1731c06fc65754ece813c20d2feeb6b98320edae70c126bd62bcbbe57ed30bc6
Opcode Fuzzy Hash: 8582853a4791a70405f04ed37918b54f63078cb48b8c5762214f6cfa3004ea87
Instruction Fuzzy Hash: 21816875A04601DFDB1ACF24C5A4BA9FBB2FF49314F18819DD85A4B381CB34AC84CBA1

Uniqueness

Uniqueness Score: -1.00%

Function 02E4E000 Relevance: .2, Instructions: 170COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e4d000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: beb085f4955207515e22bee8710fb12fa84f8ae7d4e40f17a5484fa8568fc9fc
Instruction ID: a1ff3f482453a61e151744f7de6518b7ade5b32d4c6fe3a80c39e512e4012de6
Opcode Fuzzy Hash: beb085f4955207515e22bee8710fb12fa84f8ae7d4e40f17a5484fa8568fc9fc
Instruction Fuzzy Hash: 7261A2B29406529FE3698F24D4943A5FBB0FF40318F4A926ECC595BB52DB36A815CFC0

Uniqueness

Uniqueness Score: -1.00%

Function 02E4E231 Relevance: .1, Instructions: 67COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002E4D000.00000040.00000800.00020000.00000000.sdmp, Offset: 02E4D000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2e4d000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: dffb37be310db3dc0f94ccd7d9af7bd4da26ed3372f74a9caa6d51be837c0c72
Instruction ID: df3d419280f8f576c7cd47721e50f858b85ec72b8bedc541176a2e2d464d5e08
Opcode Fuzzy Hash: dffb37be310db3dc0f94ccd7d9af7bd4da26ed3372f74a9caa6d51be837c0c72
Instruction Fuzzy Hash: 532160725087919BE351CF1098803C6FBA2FBC0369F99462EEC9823116CB3B545DC7C2

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db0000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction ID: 9781c5549884d2f80e8fe39d330931808128443ee6f7fd13fa4b6fb8d6e9f685
Opcode Fuzzy Hash: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction Fuzzy Hash: 2A1167B2D0126ACFCB25DF58C4955EEB3B0FF88315B568569DC66A3341D734AD20CB80

Uniqueness

Uniqueness Score: -1.00%

Function 02DB0722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB0000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB0000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db0000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction ID: b7fd596d5df035373aa96b5570deaffaba8358d8934cd1c5542a692a1c4e3f4a
Opcode Fuzzy Hash: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction Fuzzy Hash: 12F01576C00229DBCB15DF48C4411EEF7B1EF04218B1A8496DC6A37741E332AD62CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02DC4B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cd27d656d3a45608c68641d160166dca4190d64021e3fde806566acab028a962
Instruction ID: 9247c50f32bfeb257849c0e7ea0f0ca7ca560d57c0e6b7ff8742d7cae5d01e81
Opcode Fuzzy Hash: cd27d656d3a45608c68641d160166dca4190d64021e3fde806566acab028a962
Instruction Fuzzy Hash: AEF07FB5A00A06EBDB158F61C0047DAFBB4BB88718F14421AD42C57350D778B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC6495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c9662856e274fb4a483a986afb3f3c4ab8c030a56202976e5ea5e93691a71b25
Instruction ID: a3293c7be177d92849ba3f61866960dca4d4c900151f93ebbfaf60fb1aaea462
Opcode Fuzzy Hash: c9662856e274fb4a483a986afb3f3c4ab8c030a56202976e5ea5e93691a71b25
Instruction Fuzzy Hash: 59F09BB6A00A16EBDB26CF65C0147CAFBB4BB88B14F14421AC42C67350D778B46ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02DBDA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bbfab633052a393da5b8a3f3a68118c49c7ca3cc96660ec3a3c6cda0a81280b9
Instruction ID: 24876653b76a9d52a783f32a98e994b86ed42bc5bedc1f8a7b7c13646ade4101
Opcode Fuzzy Hash: bbfab633052a393da5b8a3f3a68118c49c7ca3cc96660ec3a3c6cda0a81280b9
Instruction Fuzzy Hash: 96F0C2B6D00A06EBDB258F61C0047DAFBB4BB44714F14421AC42C63310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC49AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 5e50067dce2be044723d93bdef873353dc3f03512f2112e413dd6817dd901670
Instruction ID: 2cb33e9ab27146049718bc940a5338e1c2a01e0aac9660ca21ffe95237f3fc47
Opcode Fuzzy Hash: 5e50067dce2be044723d93bdef873353dc3f03512f2112e413dd6817dd901670
Instruction Fuzzy Hash: 80F0CAB6D00A06EBDB258F61C1047CAFBB4BB88B14F14421AC42C67320D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC3C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9f9ce4e6a70adf3e6f6456a060b4ebb056d2b592cc7c63cd76926eeb82ae3fb7
Instruction ID: eb7e7495f866171164af48ffbb4df005b32b734c1dd50e6a7c854058743cc562
Opcode Fuzzy Hash: 9f9ce4e6a70adf3e6f6456a060b4ebb056d2b592cc7c63cd76926eeb82ae3fb7
Instruction Fuzzy Hash: A9F0C2B6D00A06EBDB258F61C0047CAFBB4BB44714F14421AC42C67310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02DC45E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000017.00000002.2974714968.0000000002DB2000.00000040.00000800.00020000.00000000.sdmp, Offset: 02DB2000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_23_2_2db2000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: bfefcee162ac9a899fde71af2554a5c2d1aee6a85076b069dad1da0c7c9159b8
Instruction ID: 21aba898354ee8c20fdeddf302f8af96dd05349b24eda1c1edeaf964e42cef30
Opcode Fuzzy Hash: bfefcee162ac9a899fde71af2554a5c2d1aee6a85076b069dad1da0c7c9159b8
Instruction Fuzzy Hash: ECF0C2B6D00A06EBDB258F61C0047CAFBB4BB44B14F14421AC52C63310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: javaw.exePID: 7428, Parent PID: 2580COMMON

Executed Functions

Function 0252D9A5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002522000.00000040.00000800.00020000.00000000.sdmp, Offset: 02522000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2522000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3533d295dfef09ca75b0530a241f62e9cf0709ec569e037b50081b741736d84c
Instruction ID: 74f1a10fcb5847c31bb5d1105c71ebd083159c6b7e333f8ffa59cace4375681d
Opcode Fuzzy Hash: 3533d295dfef09ca75b0530a241f62e9cf0709ec569e037b50081b741736d84c
Instruction Fuzzy Hash: 4E8178B1A06651DFDB18CF24C598BA9FBB1FF4A314F08859DD81A5B3C1CB34A848CB95

Uniqueness

Uniqueness Score: -1.00%

Function 02520672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2520000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction ID: 7644b0b14c5c485e78debc7b381f3d58039d31e2e4f2174295dade5caf4ea032
Opcode Fuzzy Hash: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction Fuzzy Hash: 2D115BB6D0223ADFCF14CF48C4894ADB7B1FBAA314B5A4529DC66A33C1D3346924CB94

Uniqueness

Uniqueness Score: -1.00%

Function 02520722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002520000.00000040.00000800.00020000.00000000.sdmp, Offset: 02520000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2520000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction ID: 3c1b2017df8b619d8d09b1120a7591c5fd5ba1e8968d587b6f9de0948a3df028
Opcode Fuzzy Hash: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction Fuzzy Hash: CEF0F276C002299B8B149F48C4410ADFBB1FB16218B1A8496DC29372C1D332AD66CF95

Uniqueness

Uniqueness Score: -1.00%

Function 02534B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002522000.00000040.00000800.00020000.00000000.sdmp, Offset: 02522000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2522000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ba51385773e937804a4796989164f599b14678ced66b0cce89d4989317710895
Instruction ID: 949958fbaff7c89df1b4e6aa5cadccea156dcffd450ad841e2978b3b003a780d
Opcode Fuzzy Hash: ba51385773e937804a4796989164f599b14678ced66b0cce89d4989317710895
Instruction Fuzzy Hash: 3DF07FB5A00A16EBDB258F61C0047DAFBB4BB98718F14421AD42C57350D778B4698BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02536495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002522000.00000040.00000800.00020000.00000000.sdmp, Offset: 02522000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2522000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 114e5cdf3bda28bdea7d5e75dbc81d5cd20aafe023c34afdeb88f383a95b0185
Instruction ID: 65592a2f82339e297d81c42ad270ec38db03be7639770f7b95f1d328029e732c
Opcode Fuzzy Hash: 114e5cdf3bda28bdea7d5e75dbc81d5cd20aafe023c34afdeb88f383a95b0185
Instruction Fuzzy Hash: 03F09BB6A00A16EBDB25CF65C0047CAFBB4BB98714F14421AC42C67390D778B46ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0252DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002522000.00000040.00000800.00020000.00000000.sdmp, Offset: 02522000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2522000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 7dd90e4474f847933ac02a9be3edfeca980226fcd6869ad274d202d618ec5dc5
Instruction ID: 6534e9dcb0d11c297c8e8638e0326e7f3fcb5b1a928cc4dceb8bfac035063b32
Opcode Fuzzy Hash: 7dd90e4474f847933ac02a9be3edfeca980226fcd6869ad274d202d618ec5dc5
Instruction Fuzzy Hash: 72F0C2B6D01A16ABDB248F61C0047DAFBB4BB54714F14421AC42C63350D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 025349AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002522000.00000040.00000800.00020000.00000000.sdmp, Offset: 02522000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2522000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: c071b23a8e4edfaf2e65fe30c216cbb786b3745871a7120d10317e356df3b0a1
Instruction ID: 2e3a22409a2608c70c0a7eead7f9f988c7ffaa58dd2b6427f6ad0335c7253503
Opcode Fuzzy Hash: c071b23a8e4edfaf2e65fe30c216cbb786b3745871a7120d10317e356df3b0a1
Instruction Fuzzy Hash: 2AF0CAB6D00A16ABDB248F61C1047CAFBB4BB98714F14421AC42C673A0D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02533C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002522000.00000040.00000800.00020000.00000000.sdmp, Offset: 02522000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2522000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b41c4061f8be1d3f251f17e7c6dde770d64bfa50e2c8b1a29595824a7908723f
Instruction ID: 21fd5eacac4cdf2d47718826ccb70b2a3a871bfc39b6766d8489c6f885a0b901
Opcode Fuzzy Hash: b41c4061f8be1d3f251f17e7c6dde770d64bfa50e2c8b1a29595824a7908723f
Instruction Fuzzy Hash: 74F0C2B6D00A16ABDB648F61C0047CAFBB4BB54714F14421AC42C67350D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 025345E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 00000018.00000002.2974393521.0000000002522000.00000040.00000800.00020000.00000000.sdmp, Offset: 02522000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_24_2_2522000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: ea5d0f61982ccb49fb24518a68581a3b9c52821b1b837a1f3525d73161aad5b5
Instruction ID: 36ddf3f9ae24e662077bbd39e92cc98be72203e74c1e179ad74e5c65649779e4
Opcode Fuzzy Hash: ea5d0f61982ccb49fb24518a68581a3b9c52821b1b837a1f3525d73161aad5b5
Instruction Fuzzy Hash: B5F0C2B6D00A16ABDB248F61C0047CAFBB4BB54714F14421AC52C63350D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: javaw.exePID: 7720, Parent PID: 2580COMMON

Executed Functions

Function 02B3D9A5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 2e66aa7753639365b4ad642dcab4ce047886e5a667dc17ab94c2c041111d3b4d
Instruction ID: a0854811d764e99151f588717ec7d441eaa17e2642499d34185e25978ad53c0a
Opcode Fuzzy Hash: 2e66aa7753639365b4ad642dcab4ce047886e5a667dc17ab94c2c041111d3b4d
Instruction Fuzzy Hash: 03819AB1A04602DFDB1ACF64C594BA9FBB1FF49314F0881DDD92A4B391DB34A884CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02B30672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b30000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction ID: 31343dba48628826c943422e761c20b78c227578bb547487b7d3da8182c4ced9
Opcode Fuzzy Hash: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction Fuzzy Hash: 06115BB6D0122ADFCF29EF48C8854ADB7B0FF99314B5649A9DC65A3345D3346920CB90

Uniqueness

Uniqueness Score: -1.00%

Function 02B30722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B30000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B30000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b30000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction ID: 27a7b7944c5cb38eda826b5eaa09382012497d3e31272ff9428bceb296570b01
Opcode Fuzzy Hash: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction Fuzzy Hash: 85F0A576C00229DB8B15EF48C4411ADB7B1EF45218B1A88D6DC6977641D332AD62CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02B44B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: e02d97ffc64f9601acce7d60e45bb1b49ba581d5235acfdcd38f05149d2effd0
Instruction ID: 668bb75df98c48ffc458d70eb54a3a996a3ac66a23c712678f95a5724c18d585
Opcode Fuzzy Hash: e02d97ffc64f9601acce7d60e45bb1b49ba581d5235acfdcd38f05149d2effd0
Instruction Fuzzy Hash: 0DF07FB5A00A06EBDB158F61C0047DAFBB4FB88718F14421AD42C57350D778B4658BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02B46495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 3d5f34219789765e146d716596dcb2a9cf468ef51edf9cd9a3bb931c57e86d4d
Instruction ID: 6918c76219c47a92a94ea34bbbf5873ca0c5991ecb6b9812f247cd7914b0d106
Opcode Fuzzy Hash: 3d5f34219789765e146d716596dcb2a9cf468ef51edf9cd9a3bb931c57e86d4d
Instruction Fuzzy Hash: C4F09BB6A00A16EBDB26CF65C0047CAFBB4BB88714F14421AC42C67350D778B46ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02B3DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a3744d18fec16b6ab4d6a62e6e8b822cc155e3533b7fe63a206c066d07dc7364
Instruction ID: dcea0e1c81a6370c38d11415e77f51db8e473fe8a45e52d52ec295487f6dde12
Opcode Fuzzy Hash: a3744d18fec16b6ab4d6a62e6e8b822cc155e3533b7fe63a206c066d07dc7364
Instruction Fuzzy Hash: 0AF0C2B6D00A06ABDB258F61C0047DAFBB4BB44714F14461AC42C63310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02B449AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b1527c182ed3d24bb955ee67af5e0e26a119792d79355c9cedaef580b2eb4a14
Instruction ID: 28ef2436b7cddd1ab0ab0ee605cb0b66b2e1c636efb002a2916217a9a4a9b934
Opcode Fuzzy Hash: b1527c182ed3d24bb955ee67af5e0e26a119792d79355c9cedaef580b2eb4a14
Instruction Fuzzy Hash: 50F0CAB6D00A06ABDB258F61C1047CAFBB4BB88714F14461AC42C67320D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02B43C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 02b389352e7fc0363bccb4f7b4754436bd16c0fce5d1a2f76e7487ad29f7f79f
Instruction ID: 70c0c1670dd4ff67c9e34be31462766a71aff2df9a4e600f39100cb93ccc6d40
Opcode Fuzzy Hash: 02b389352e7fc0363bccb4f7b4754436bd16c0fce5d1a2f76e7487ad29f7f79f
Instruction Fuzzy Hash: 2DF0CAB6D00A0AABDB258F61C0047CAFBB8BB88718F14461AC42C67320D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02B445E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001C.00000002.2974109406.0000000002B32000.00000040.00000800.00020000.00000000.sdmp, Offset: 02B32000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_28_2_2b32000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: b143c24235c7553130775a81e29f2e132013e499656f3a54ca158864988019eb
Instruction ID: c2a93402043d682232cba462b28f98d4f7b1e3657ebf51ec1045be5110533edc
Opcode Fuzzy Hash: b143c24235c7553130775a81e29f2e132013e499656f3a54ca158864988019eb
Instruction Fuzzy Hash: C1F0C2B6D00A06ABDB258F61C0047CAFBB4BB44714F14461AC52C63310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Analysis Process: javaw.exePID: 7852, Parent PID: 2580COMMON

Executed Functions

Function 0287D9A5 Relevance: .2, Instructions: 199COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002872000.00000040.00000800.00020000.00000000.sdmp, Offset: 02872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2872000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: cf7f2f2e8236f41222d9fb8869efd4d63de417c4e9b4bc1657ca9e9efa62aa4c
Instruction ID: 223a65e2278aa24f55d994b30dda7d996f3f69b947b4c852b75dce05c7f08e79
Opcode Fuzzy Hash: cf7f2f2e8236f41222d9fb8869efd4d63de417c4e9b4bc1657ca9e9efa62aa4c
Instruction Fuzzy Hash: 838177BDA04601DFDB19CF24C594BA9FBB1FF49318F088199C91A8B381CB34E885CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02870672 Relevance: .1, Instructions: 57COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2870000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction ID: 1fac376acff6f16bdc7488176ac3ab58e7850f9062ce4994e011394371d5ad15
Opcode Fuzzy Hash: f50589cae0d0a6ffdb243e01bbb7ed607729addc82e375dc61d7d6223e15b1f3
Instruction Fuzzy Hash: 51115EBAD0122ADFCF14CF48C8954AEB7B0FB99314B554529DC69E3342D334A920CB91

Uniqueness

Uniqueness Score: -1.00%

Function 02884CCD Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002872000.00000040.00000800.00020000.00000000.sdmp, Offset: 02872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2872000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9ccd5425f6eeed5672e701a7e93583f55e14db5d47f46ee84f679aebc561f397
Instruction ID: b49a0780fcb86495100f6e5050c6be73644b87317c3c51452a29f4e49b17b947
Opcode Fuzzy Hash: 9ccd5425f6eeed5672e701a7e93583f55e14db5d47f46ee84f679aebc561f397
Instruction Fuzzy Hash: 52F0BCB5A00A06EBEB15CF20C0047EAF7B4BB88708F04420AD42C97310C378B429CBD1

Uniqueness

Uniqueness Score: -1.00%

Function 02870722 Relevance: .0, Instructions: 22COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002870000.00000040.00000800.00020000.00000000.sdmp, Offset: 02870000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2870000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction ID: c1e0d408b06cf86b72b56da8e8fa03c09347c6a2c8b350b4a34d29e6bf5ab712
Opcode Fuzzy Hash: af9fe37b3e15d8840aabd4688b78a2c1a9f31d6a4b900fe252ec604db92cfec7
Instruction Fuzzy Hash: 4FF0A57EC04229DB8F14DF48C4811ADB7B1EB45258B2A8496DC6DB7641D332AD62CF91

Uniqueness

Uniqueness Score: -1.00%

Function 02884B78 Relevance: .0, Instructions: 21COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002872000.00000040.00000800.00020000.00000000.sdmp, Offset: 02872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2872000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 82e860b0c9f41598e5325391dec4278b0731f1803e4d311ffd598789adbe8231
Instruction ID: 8a3f42d55041ee1c056dc0130c0e7c5da75e179a649595f467ce90ac7dbe8d8b
Opcode Fuzzy Hash: 82e860b0c9f41598e5325391dec4278b0731f1803e4d311ffd598789adbe8231
Instruction Fuzzy Hash: 56F07FB5A00A06EBDB158F61C0047DAFBB4BB88718F14421AD42C97350D778B4658BC1

Uniqueness

Uniqueness Score: -1.00%

Function 02886495 Relevance: .0, Instructions: 20COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002872000.00000040.00000800.00020000.00000000.sdmp, Offset: 02872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2872000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: a4ca7df23d9020cae36880fc4b3bff2d39cbddbd51bf58c7683e4571003e7d5b
Instruction ID: 907b5cb7d83cc253667a3fbeb641512638e1e2d0a95f071a9353893d8c7f7491
Opcode Fuzzy Hash: a4ca7df23d9020cae36880fc4b3bff2d39cbddbd51bf58c7683e4571003e7d5b
Instruction Fuzzy Hash: 83F09BBAA00B16EBDB25CF65C0147CAFBB4BB88714F14421AD42CA7350D778B46ACBC1

Uniqueness

Uniqueness Score: -1.00%

Function 0287DA35 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002872000.00000040.00000800.00020000.00000000.sdmp, Offset: 02872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2872000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 4648c369302c633b08d61c8f6477819d0998ae3dc8aeeb03a0a67dd5170f4c44
Instruction ID: bc0791166dce38e9dfa2f9c44799e6624dd3a40d38cb53e7280961ab51efc1da
Opcode Fuzzy Hash: 4648c369302c633b08d61c8f6477819d0998ae3dc8aeeb03a0a67dd5170f4c44
Instruction Fuzzy Hash: 64F0C2B6D00A06ABDB248F61C0047DAFBB4BB44714F14421AC42C67310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 028849AA Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002872000.00000040.00000800.00020000.00000000.sdmp, Offset: 02872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2872000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 895acfca0b2f4d584eb4d439f348e2fb6952f50e3f20ac21b802f9bf2dae1685
Instruction ID: d84c4614ad279b29372e9abe0c7ab0da74c9631c299020f68d4fb888dd991f8c
Opcode Fuzzy Hash: 895acfca0b2f4d584eb4d439f348e2fb6952f50e3f20ac21b802f9bf2dae1685
Instruction Fuzzy Hash: E1F0CABAD00A06ABDB248F61C1047CAFBB4BB88714F14421AC42CA7320D378B469CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 02883C76 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002872000.00000040.00000800.00020000.00000000.sdmp, Offset: 02872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2872000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 9acf410a6b06f8aee001d3d0c94b84e4d28b980d249ba8bd96f3f3308695f1ae
Instruction ID: 46ab65e846e97aaab85aeda5b67041b717747e76c031f97c298c6a537c0feb5a
Opcode Fuzzy Hash: 9acf410a6b06f8aee001d3d0c94b84e4d28b980d249ba8bd96f3f3308695f1ae
Instruction Fuzzy Hash: F4F0C2B6D00A06ABDB248F61C0047CAFBB4BB44714F14421AC42CA7310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Function 028845E9 Relevance: .0, Instructions: 18COMMON

Download Yara Rule

Memory Dump Source

Source File: 0000001D.00000002.2974279944.0000000002872000.00000040.00000800.00020000.00000000.sdmp, Offset: 02872000, based on PE: false

Joe Sandbox IDA Plugin

Snapshot File: hcaresult_29_2_2872000_javaw.jbxd

Similarity

API ID:
String ID:
API String ID:
Opcode ID: 88ee98c30a9d6e2c904e83dc0bf54ffff42846fd607a94fb270edd0e99cc89d3
Instruction ID: bd5562ba840f9a6b1e9ee5ff1c24a6aa9e721e36604ea2c9821bc8a1d966937b
Opcode Fuzzy Hash: 88ee98c30a9d6e2c904e83dc0bf54ffff42846fd607a94fb270edd0e99cc89d3
Instruction Fuzzy Hash: 5FF0C2B6D00A06ABDB248F61C0047CAFBB4BB44714F14421AC52C67310D378B465CBC1

Uniqueness

Uniqueness Score: -1.00%

Description:	Adversaries may abuse Windows Management Instrumentation (WMI) to execute malicious commands and payloads. WMI is an administration feature that provides a uniform environment to access Windows system components. The WMI service enables both local and remote access, though the latter is facilitated by Remote Services such as Distributed Component Object Model (DCOM) and Windows Remote Management (WinRM).Remote WMI over DCOM operates using port 135, whereas WMI over WinRM operates over port 5985 when using HTTP and 5986 for HTTPS.
Tactics:	Execution
Data Sources:	Command: Command Execution, Network Traffic: Network Connection Creation, Process: Process Creation, WMI: WMI Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may abuse task scheduling functionality to facilitate initial or recurring execution of malicious code. Utilities exist within all major operating systems to schedule programs or scripts to be executed at a specified date and time. A task can also be scheduled on a remote system, provided the proper authentication is met (ex: RPC and file and printer sharing in Windows environments). Scheduling a task on a remote system typically may require being a member of an admin or otherwise privileged group on the remote system.
Tactics:	Execution, Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, Container: Container Creation, File: File Creation, File: File Modification, Process: Process Creation, Scheduled Job: Scheduled Job Creation
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may exploit software vulnerabilities in client applications to execute code. Vulnerabilities can exist in software due to unsecure coding practices that can lead to unanticipated behavior. Adversaries can take advantage of certain vulnerabilities through targeted exploitation for the purpose of arbitrary code execution. Oftentimes the most valuable exploits to an offensive toolkit are those that can be used to obtain code execution on a remote system because they can be used to gain access to that system. Users will expect to see files related to the applications they commonly used to do work, so they are a useful target for exploit research and development because of their high utility.
Tactics:	Execution
Data Sources:	Application Log: Application Log Content, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may achieve persistence by adding a program to a startup folder or referencing it with a Registry run key. Adding an entry to the "run keys" in the Registry or startup folder will cause the program referenced to be executed when a user logs in.These programs will be executed under the context of the user and will have the account's associated permissions level.
Tactics:	Persistence, Privilege Escalation
Data Sources:	Command: Command Execution, File: File Modification, Process: Process Creation, Windows Registry: Windows Registry Key Creation, Windows Registry: Windows Registry Key Modification
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may execute their own malicious payloads by hijacking the binaries used by services. Adversaries may use flaws in the permissions of Windows services to replace the binary that is executed upon service start. These service processes may automatically execute specific binaries as part of their functionality or to perform other actions. If the permissions on the file system directory containing a target binary, or permissions on the binary itself are improperly set, then the target binary may be overwritten with another binary using user-level permissions and executed by the original process. If the original process and thread are running under a higher permissions level, then the replaced binary will also execute under higher-level permissions, which could include SYSTEM.
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Process: Process Creation, Service: Service Metadata
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may inject code into processes in order to evade process-based defenses as well as possibly elevate privileges. Process injection is a method of executing arbitrary code in the address space of a separate live process. Running code in the context of another process may allow access to the process's memory, system/network resources, and possibly elevated privileges. Execution via process injection may also evade detection from security products since the execution is masked under a legitimate process.
Tactics:	Defense Evasion, Privilege Escalation
Data Sources:	File: File Metadata, File: File Modification, Module: Module Load, Process: OS API Execution, Process: Process Access, Process: Process Metadata, Process: Process Modification
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to manipulate features of their artifacts to make them appear legitimate or benign to users and/or security tools. Masquerading occurs when the name or location of an object, legitimate or malicious, is manipulated or abused for the sake of evading defenses and observation. This may include manipulating file metadata, tricking users into misidentifying the file type, and giving legitimate task or service names.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Metadata, File: File Modification, Image: Image Metadata, Process: OS API Execution, Process: Process Creation, Process: Process Metadata, Scheduled Job: Scheduled Job Metadata, Scheduled Job: Scheduled Job Modification, Service: Service Creation, Service: Service Metadata
Platforms:	Containers, Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may employ various means to detect and avoid virtualization and analysis environments. This may include changing behaviors based on the results of checks for the presence of artifacts indicative of a virtual machine environment (VME) or sandbox. If the adversary detects a VME, they may alter their malware to disengage from the victim or conceal the core functions of the implant. They may also search for VME artifacts before dropping secondary or additional payloads. Adversaries may use the information learned from [Virtualization/Sandbox Evasion](https://attack.mitre.org/techniques/T1497) during automated discovery to shape follow-on behaviors.
Tactics:	Defense Evasion, Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may modify and/or disable security tools to avoid possible detection of their malware/tools and activities. This may take many forms, such as killing security software processes or services, modifying / deleting Registry keys or configuration files so that tools do not operate properly, or other methods to interfere with security tools scanning or reporting information. Adversaries may also disable updates to prevent the latest security patches from reaching tools on victim systems.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, Driver: Driver Load, Process: Process Creation, Process: Process Termination, Sensor Health: Host Status, Service: Service Metadata, Windows Registry: Windows Registry Key Deletion, Windows Registry: Windows Registry Key Modification
Platforms:	Containers, IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to make an executable or file difficult to discover or analyze by encrypting, encoding, or otherwise obfuscating its contents on the system or in transit. This is common behavior that can be used across different platforms and the network to evade defenses.
Tactics:	Defense Evasion
Data Sources:	Command: Command Execution, File: File Creation, File: File Metadata, Module: Module Load, Process: OS API Execution, Process: Process Creation, Script: Script Execution, WMI: WMI Creation, Windows Registry: Windows Registry Key Creation
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get information about running processes on a system. Information obtained could be used to gain an understanding of common software/applications running on systems within the network. Adversaries may use the information from Process Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may look for details about the network configuration and settings, such as IP and/or MAC addresses, of systems they access or through information discovery of remote systems. Several operating system administration utilities exist that can be used to gather this information. Examples include Arp , ipconfig / ifconfig , nbtstat , and route .
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation, Script: Script Execution
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may enumerate files and directories or may search in specific locations of a host or network share for certain information within a file system. Adversaries may use the information from File and Directory Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using a protocol and port pairing that are typically not associated. For example, HTTPS over port 8088or port 587as opposed to the traditional port 443. Adversaries may make changes to the standard port used by a protocol to bypass filtering or muddle analysis/parsing of network data.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may transfer tools or other files from an external system into a compromised environment. Tools or files may be copied from an external adversary-controlled system to the victim network through the command and control channel or through alternate protocols such as ftp . Once present, adversaries may also transfer/spread tools between victim devices within a compromised environment (i.e. Lateral Tool Transfer ).
Tactics:	Command and Control
Data Sources:	Command: Command Execution, File: File Creation, Network Traffic: Network Connection Creation, Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may use an OSI non-application layer protocol for communication between host and C2 server or among infected hosts within a network. The list of possible protocols is extensive.Specific examples include use of network layer protocols, such as the Internet Control Message Protocol (ICMP), transport layer protocols, such as the User Datagram Protocol (UDP), session layer protocols, such as Socket Secure (SOCKS), as well as redirected/tunneled protocols, such as Serial over LAN (SOL).
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may communicate using OSI application layer protocols to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server.
Tactics:	Command and Control
Data Sources:	Network Traffic: Network Traffic Content, Network Traffic: Network Traffic Flow
Platforms:	Linux, macOS, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report RICHIESTA-QUOTAZIONI.jar

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: STRRAT

Yara Signatures

Dropped Files

Memory Dumps

Sigma Signatures

System Summary

Snort Signatures

Joe Sandbox Signatures

AV Detection

Spreading

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

Contacted URLs

URLs from Memory and Binaries

World Map of Contacted IPs

Public IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\RICHIESTA-QUOTAZIONI.jar

C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6164

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6644

C:\Users\user\AppData\Local\Temp\hsperfdata_user\6716

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7260

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7428

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7720

C:\Users\user\AppData\Local\Temp\hsperfdata_user\7852

C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\RICHIESTA-QUOTAZIONI.jar

C:\Users\user\AppData\Roaming\RICHIESTA-QUOTAZIONI.jar

C:\cmdlinestart.log

Static File Info

General

File Icon

Windows Analysis Report
RICHIESTA-QUOTAZIONI.jar