Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
EQUIPTMENT_ORDER.jar

Overview

General Information

Sample name:EQUIPTMENT_ORDER.jar
Analysis ID:1430750
MD5:b42ff7e68ccb74b444fd8d30636466cf
SHA1:854601f3529fed533b297b4904c67938152563b1
SHA256:eb8ff032ecdacae049aa7edcb3c76e2b3274e7b01dd19aacbd71cfb96f8c9529
Tags:jar
Infos:

Detection

STRRAT
Score:88
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for URL or domain
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for submitted file
Yara detected STRRAT
Exploit detected, runtime environment starts unknown processes
Yara detected AllatoriJARObfuscator
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Process Tree

  • System is w10x64
  • 7za.exe (PID: 1440 cmdline: 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\EQUIPTMENT_ORDER.jar" MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
    • conhost.exe (PID: 1476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • java.exe (PID: 5552 cmdline: java.exe -jar "C:\Users\user\Desktop\EQUIPTMENT_ORDER.jar" carLambo.FirstRun MD5: 9DAA53BAB2ECB33DC0D9CA51552701FA)
    • conhost.exe (PID: 5472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
    • icacls.exe (PID: 1496 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: 2E49585E4E08565F52090B144062F97E)
      • conhost.exe (PID: 4444 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)
  • cleanup

Malware Configuration

Threatname: STRRAT

{"C2 list": "chongmei33.publicvm.com:44662", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "chongmei33.publicvm.com:44662", "lid": "khonsari", "Startup": "true", "Secondary Startup": "true", "Scheduled Task": "true"}

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
    00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmpINDICATOR_JAVA_Packed_AllatoriDetects files packed with Allatori Java ObfuscatorditekSHen
    • 0x464c:$s1: # Obfuscation by Allatori Obfuscator
    00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
      00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmpINDICATOR_JAVA_Packed_AllatoriDetects files packed with Allatori Java ObfuscatorditekSHen
      • 0x2e24:$s1: # Obfuscation by Allatori Obfuscator
      00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_STRRATYara detected STRRATJoe Security
        Click to see the 4 entries

        Sigma Signatures

        No Sigma rule has matched

        Snort Signatures

        No Snort rule has matched

        Joe Sandbox Signatures

        Click to jump to signature section

        Show All Signature Results

        AV Detection

        barindex
        Antivirus detection for URL or domain
        Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5URL Reputation: Label: malware
        Source: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5URL Reputation: Label: malware
        Found malware configuration
        Source: EQUIPTMENT_ORDER.jarMalware Configuration Extractor: STRRAT {"C2 list": "chongmei33.publicvm.com:44662", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "chongmei33.publicvm.com:44662", "lid": "khonsari", "Startup": "true", "Secondary Startup": "true", "Scheduled Task": "true"}
        Multi AV Scanner detection for submitted file
        Source: EQUIPTMENT_ORDER.jarReversingLabs: Detection: 44%
        Source: EQUIPTMENT_ORDER.jarVirustotal: Detection: 50%Perma Link

        Software Vulnerabilities

        barindex
        Exploit detected, runtime environment starts unknown processes
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\System32\conhost.exe
        Source: java.exe, 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
        Source: java.exe, 00000003.00000002.3259064720.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
        Source: java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
        Source: java.exe, 00000003.00000002.3259064720.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
        Source: java.exe, 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
        Source: java.exe, 00000003.00000002.3259064720.000000000A000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
        Source: java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
        Source: java.exe, 00000003.00000002.3259064720.000000000A00E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
        Source: java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
        Source: java.exe, 00000003.00000002.3259064720.000000000A007000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
        Source: java.exe, 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
        Source: java.exe, 00000003.00000002.3259064720.000000000A00E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
        Source: java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
        Source: java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.oracle.com/
        Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
        Source: java.exe, 00000003.00000002.3259064720.000000000A108000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmpString found in binary or memory: http://null.oracle.com/
        Source: java.exe, 00000003.00000002.3258479899.0000000004E4D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://null.oracle.com/k
        Source: java.exe, 00000003.00000002.3259064720.000000000A000000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com
        Source: java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0A
        Source: java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0C
        Source: java.exe, 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ocsp.digicert.com0X
        Source: java.exe, 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.allatori.com
        Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
        Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jarc
        Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
        Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
        Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jark
        Source: java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar

        System Summary

        barindex
        Malicious sample detected (through community Yara rule)
        Source: 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
        Source: 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
        Source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTRMatched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
        Source: 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
        Source: 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORYMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
        Source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTRMatched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
        Source: classification engineClassification label: mal88.troj.expl.evad.winJAR@7/52@0/0
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeMutant created: NULL
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1476:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4444:120:WilError_03
        Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5472:120:WilError_03
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
        Source: C:\Windows\System32\7za.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
        Source: EQUIPTMENT_ORDER.jarReversingLabs: Detection: 44%
        Source: EQUIPTMENT_ORDER.jarVirustotal: Detection: 50%
        Source: unknownProcess created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar "C:\Users\user\Desktop\EQUIPTMENT_ORDER.jar"
        Source: C:\Windows\System32\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: unknownProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe java.exe -jar "C:\Users\user\Desktop\EQUIPTMENT_ORDER.jar" carLambo.FirstRun
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MJump to behavior
        Source: C:\Windows\System32\7za.exeSection loaded: 7z.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: apphelp.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wsock32.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: winmm.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: version.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: kernel.appcore.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: windows.storage.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wldp.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: profapi.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: mswsock.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: iphlpapi.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: dhcpcsvc6.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: dhcpcsvc.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: dnsapi.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: uxtheme.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: dwmapi.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: opengl32.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: glu32.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: textinputframework.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: coreuicomponents.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: coremessaging.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: ntmarta.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeSection loaded: wintypes.dllJump to behavior
        Source: C:\Windows\SysWOW64\icacls.exeSection loaded: ntmarta.dllJump to behavior
        Source: Window RecorderWindow detected: More than 3 window changes detected

        Data Obfuscation

        barindex
        Yara detected AllatoriJARObfuscator
        Source: Yara matchFile source: 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTR
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_028DA20A push ecx; ret 3_2_028DA21A
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_028DA21B push ecx; ret 3_2_028DA225
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_028DB3B7 push 00000000h; mov dword ptr [esp], esp3_2_028DB3DD
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_028DBB67 push 00000000h; mov dword ptr [esp], esp3_2_028DBB8D
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_028DB947 push 00000000h; mov dword ptr [esp], esp3_2_028DB96D
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_028DC477 push 00000000h; mov dword ptr [esp], esp3_2_028DC49D
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
        Source: java.exe, 00000003.00000003.2001369183.0000000014E63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
        Source: java.exe, 00000003.00000003.2001369183.0000000014E63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
        Source: java.exe, 00000003.00000002.3258018628.0000000000EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllMDs
        Source: java.exe, 00000003.00000002.3258018628.0000000000EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: [Ljava/lang/VirtualMachineError;
        Source: java.exe, 00000003.00000003.2001369183.0000000014E63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
        Source: java.exe, 00000003.00000002.3258018628.0000000000EEB000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: cjava/lang/VirtualMachineError
        Source: java.exe, 00000003.00000003.2001369183.0000000014E63000.00000004.00000020.00020000.00000000.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeMemory protected: page read and write | page guardJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)MJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeCode function: 3_2_028D03C0 cpuid 3_2_028D03C0
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\5552 VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformationJump to behavior
        Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exeQueries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformationJump to behavior

        Stealing of Sensitive Information

        barindex
        Yara detected STRRAT
        Source: Yara matchFile source: 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTR

        Remote Access Functionality

        barindex
        Yara detected STRRAT
        Source: Yara matchFile source: 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
        Source: Yara matchFile source: Process Memory Space: java.exe PID: 5552, type: MEMORYSTR

        Mitre Att&ck Matrix

        ReconnaissanceResource DevelopmentInitial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionCommand and ControlExfiltrationImpact
        Gather Victim Identity InformationAcquire InfrastructureValid Accounts1
        Exploitation for Client Execution        		1
        Services File Permissions Weakness        		1
        Services File Permissions Weakness        		1
        Services File Permissions Weakness        		OS Credential Dumping1
        Security Software Discovery        		Remote ServicesData from Local SystemData ObfuscationExfiltration Over Other Network MediumAbuse Accessibility Features
        CredentialsDomainsDefault AccountsScheduled Task/Job1
        DLL Side-Loading        		11
        Process Injection        		1
        Disable or Modify Tools        		LSASS Memory21
        System Information Discovery        		Remote Desktop ProtocolData from Removable MediaJunk DataExfiltration Over BluetoothNetwork Denial of Service
        Email AddressesDNS ServerDomain AccountsAtLogon Script (Windows)1
        DLL Side-Loading        		11
        Process Injection        		Security Account ManagerQuery RegistrySMB/Windows Admin SharesData from Network Shared DriveSteganographyAutomated ExfiltrationData Encrypted for Impact
        Employee NamesVirtual Private ServerLocal AccountsCronLogin HookLogin Hook1
        DLL Side-Loading        		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureProtocol ImpersonationTraffic DuplicationData Destruction
        Gather Victim Network InformationServerCloud AccountsLaunchdNetwork Logon ScriptNetwork Logon Script1
        Obfuscated Files or Information        		LSA SecretsInternet Connection DiscoverySSHKeyloggingFallback ChannelsScheduled TransferData Encrypted for Impact

        Behavior Graph

        Hide Legend

        Legend:

        • Process
        • Signature
        • Created File
        • DNS/IP Info
        • Is Dropped
        • Is Windows Process
        • Number of created Registry Values
        • Number of created Files
        • Visual Basic
        • Delphi
        • Java
        • .Net C# or VB.NET
        • C, C++ or other language
        • Is malicious
        • Internet
        behaviorgraph top1 signatures2 2 Behavior Graph ID: 1430750 Sample: EQUIPTMENT_ORDER.jar Startdate: 24/04/2024 Architecture: WINDOWS Score: 88 19 Found malware configuration 2->19 21 Malicious sample detected (through community Yara rule) 2->21 23 Antivirus detection for URL or domain 2->23 25 4 other signatures 2->25 7 java.exe 9 2->7         started        9 7za.exe 83 2->9         started        process3 process4 11 icacls.exe 1 7->11         started        13 conhost.exe 7->13         started        15 conhost.exe 9->15         started        process5 17 conhost.exe 11->17         started       

        Screenshots

        Thumbnails

        This section contains all screenshots as thumbnails, including those not shown in the slideshow.


        windows-stand

        Antivirus, Machine Learning and Genetic Malware Detection

        Initial Sample

        SourceDetectionScannerLabelLink
        EQUIPTMENT_ORDER.jar45%ReversingLabsByteCode-JAVA.Trojan.Strrat
        EQUIPTMENT_ORDER.jar51%VirustotalBrowse

        Dropped Files

        No Antivirus matches

        Unpacked PE Files

        No Antivirus matches

        Domains

        No Antivirus matches

        URLs

        SourceDetectionScannerLabelLink
        http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5100%URL Reputationmalware
        http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5100%URL Reputationmalware
        http://www.allatori.com0%URL Reputationsafe
        http://bugreport.sun.com/bugreport/0%URL Reputationsafe

        Domains and IPs

        Contacted Domains

        No contacted domains info

        URLs from Memory and Binaries

        NameSourceMaliciousAntivirus DetectionReputation
        http://null.oracle.com/kjava.exe, 00000003.00000002.3258479899.0000000004E4D000.00000004.00000800.00020000.00000000.sdmpfalse
          		high
          http://java.oracle.com/java.exe, 00000003.00000002.3259064720.0000000009F98000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            http://null.oracle.com/java.exe, 00000003.00000002.3259064720.000000000A108000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3260493512.0000000015480000.00000004.00000020.00020000.00000000.sdmpfalse
              		high
              https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jarjava.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jarjava.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5java.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmptrue
                  • URL Reputation: malware
                  • URL Reputation: malware
                  		unknown
                  https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jarkjava.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                    		high
                    http://www.allatori.comjava.exe, 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmpfalse
                    • URL Reputation: safe
                    		unknown
                    https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jarcjava.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmpfalse
                      		high
                      https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jarjava.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmpfalse
                        		high
                        http://bugreport.sun.com/bugreport/java.exe, 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmpfalse
                        • URL Reputation: safe
                        		unknown
                        https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jarjava.exe, 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000003.00000002.3258479899.0000000004ECC000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high

                          World Map of Contacted IPs

                          No contacted IP infos

                          General Information

                          Joe Sandbox version:40.0.0 Tourmaline
                          Analysis ID:1430750
                          Start date and time:2024-04-24 06:51:07 +02:00
                          Joe Sandbox product:CloudBasic
                          Overall analysis duration:0h 4m 57s
                          Hypervisor based Inspection enabled:false
                          Report type:full
                          Cookbook file name:defaultwindowsfilecookbook.jbs
                          Analysis system description:Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
                          Run name:Without Tracing
                          Number of analysed new started processes analysed:9
                          Number of new started drivers analysed:0
                          Number of existing processes analysed:0
                          Number of existing drivers analysed:0
                          Number of injected processes analysed:0
                          Technologies:
                          • HCA enabled
                          • EGA enabled
                          • AMSI enabled
                          Analysis Mode:default
                          Analysis stop reason:Timeout
                          Sample name:EQUIPTMENT_ORDER.jar
                          Detection:MAL
                          Classification:mal88.troj.expl.evad.winJAR@7/52@0/0
                          EGA Information:Failed
                          HCA Information:
                          • Successful, ratio: 100%
                          • Number of executed functions: 13
                          • Number of non-executed functions: 1
                          Cookbook Comments:
                          • Found application associated with file extension: .jar

                          Warnings

                          • Exclude process from analysis (whitelisted): dllhost.exe, WMIADAP.exe, SIHClient.exe
                          • Excluded domains from analysis (whitelisted): ocsp.digicert.com, slscr.update.microsoft.com, ctldl.windowsupdate.com, fe3cr.delivery.mp.microsoft.com
                          • Execution Graph export aborted for target java.exe, PID 5552 because it is empty
                          • Not all processes where analyzed, report is missing behavior information
                          • Report size getting too big, too many NtSetInformationFile calls found.

                          Simulations

                          Behavior and APIs

                          No simulations

                          Joe Sandbox View / Context

                          IPs

                          No context

                          Domains

                          No context

                          ASNs

                          No context

                          JA3 Fingerprints

                          No context

                          Dropped Files

                          No context

                          Created / dropped Files

                          C:\ProgramData\Oracle\Java\.oracle_jre_usage\b5820291038aa69c.timestamp

                          Download File
                          Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):52
                          Entropy (8bit):4.873140679513134
                          Encrypted:false
                          SSDEEP:3:oFj4I5vpm4USfwIMm:oJ5bIm
                          MD5:24D47708AB82D862C57BDFABDDD2C990
                          SHA1:A1C894F8AE0DBFD33387A63E267679B79E47F05F
                          SHA-256:3AC02DDAEB1D7B68BB7F483D0F58BA2F6BD302EBD8A23304A288718EE3FF7338
                          SHA-512:1796A9506309275D2FC017E8E20D5066622E64893912A0DE50B1AA79D71596AAE5EBC55612491030530FDBC228FE45363BEF25EC5727D91C559C57A25DA28AD1
                          Malicious:false
                          Reputation:low
                          Preview:C:\Program Files (x86)\Java\jre-1.8..1713934314296..

                          C:\Users\user\AppData\Local\Temp\hsperfdata_user\5552

                          Download File
                          Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                          File Type:data
                          Category:dropped
                          Size (bytes):65536
                          Entropy (8bit):1.2878884311079832
                          Encrypted:false
                          SSDEEP:96:n+XBr7o8GQ5mnshx/W8C67SEOE0Bb7JlzHG1bowVG:n+XK8G0mnshx/W8C6D0J7HGd
                          MD5:7F788A7760C34FA47791FE1563937457
                          SHA1:65BA2DCEBE1198176F4CFD3BC495A8AB055BD5F5
                          SHA-256:2FA1880214DAFC3917D842F705708035DFA2359D7A8FA9690448407B126D5C52
                          SHA-512:D064B1A8B6CB2D6C38F73D77D21EAFDDE123CDDB47AC873CE9548D3C2F737E2A22D4FC22F8779BD39D02495B6EEB91533AD9AC78AEEF31A5DFB0A420997EF6C5
                          Malicious:false
                          Reputation:low
                          Preview:........H9.............. .......8...........J...0...sun.rt._sync_Inflations.............8...........J...0...sun.rt._sync_Deflations.............@...........J...8...sun.rt._sync_ContendedLockAttempts..........8...........J...0...sun.rt._sync_FutileWakeups..........0...........J...(...sun.rt._sync_Parks..'.......@...........J...8...sun.rt._sync_EmptyNotifications.............8...........J...0...sun.rt._sync_Notifications..........8...........J...0...sun.rt._sync_SlowEnter..............8...........J...0...sun.rt._sync_SlowExit...............8...........J...0...sun.rt._sync_SlowNotify.............8...........J...0...sun.rt._sync_SlowNotifyAll..........8...........J...0...sun.rt._sync_FailedSpins............@...........J...8...sun.rt._sync_SuccessfulSpins................8...........J...0...sun.rt._sync_PrivateA...............8...........J...0...sun.rt._sync_PrivateB...............@...........J...8...sun.rt._sync_MonInCirculation...............8...........J...0...sun.rt._sync_MonScavenged...

                          C:\jar\META-INF\MANIFEST.MF

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:ASCII text, with CRLF line terminators
                          Category:dropped
                          Size (bytes):410
                          Entropy (8bit):5.093512501588668
                          Encrypted:false
                          SSDEEP:6:1KItJtf9H3FpLYSewuoaKgLQAw0ZEDs+szM0ZE8+szMnLQAXK8FUs5R4bPWMXl3v:1Tt/fZbLjWCf/rvl5uWMX9
                          MD5:A247D76E86C2C9D6012C31A37DB33D7A
                          SHA1:56CA1C7A1980FB6DD8F2B9C99A1BFEC2A2802BC8
                          SHA-256:E2FA5984AF0B832AA8D8C8BF28E361F99380A6F8DD93085937D1169F733BF171
                          SHA-512:6E89A661DC0E0CB8FA44D5E19D22A10B728855B86FF7421FDD1681DE066A034766F651E229495747909D41E7BC8886C7600612021641F2E2AAAC2E223DF70404
                          Malicious:false
                          Reputation:moderate, very likely benign file
                          Preview:Manifest-Version: 1.0..Ant-Version: Apache Ant 1.9.7..Created-By: 1.8.0_251-b08 (Oracle Corporation)..Class-Path: lib/system-hook-3.5.jar lib/jna-5.5.0.jar lib/jna-platform-5.. .5.0.jar lib/sqlite-jdbc-3.14.2.1.jar lib/jna-5.5.0.jar lib/jna-platfor.. m-5.5.0.jar lib/sqlite-jdbc-3.14.2.1.jar lib/system-hook-3.5.jar..X-COMMENT: Main-Class will be added automatically by build..Main-Class: carLambo.FirstRun....

                          C:\jar\carLambo\A.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):6160
                          Entropy (8bit):5.886545510650223
                          Encrypted:false
                          SSDEEP:192:zTchAkwiH1LdwDtgllkO7wG3G3zCZlQUNSkk3:0hBwiH1LCg/kO7w/jCZlC
                          MD5:5ED690983D3B52970E5BF28C7EC52A7A
                          SHA1:D19D5A4D107DC76267612F095323BBF751EEA229
                          SHA-256:29927D15F326BDE43B14C28ACC2583259BA90620E6C312BF2EBA02B3BB8EB53E
                          SHA-512:BCF8AD8BC4D6FD87C93E45168887A72735746C681357EE566CC304BDA3901D4DE568472A18F80F4EEBA5F4A96281314A318E381DF2E0BDC7535A9124D0F4F3CD
                          Malicious:false
                          Reputation:low
                          Preview:.......2....q.....T........ZKM20.0.0E..{....A.....append...(I)V...java/lang/String..!."..Q."..x.^...SourceFile...(ILjava/lang/String;)Ljava/lang/StringBuilder;..g..:..W.l...()[C..Y.s...keyPress...carLambo/a...java/lang/StringBuilder..Q.k...(I)C../.m..w....V..5.\..R..L.$..-(Ljava/lang/String;)Ljava/lang/StringBuilder;...<init>...(Ljava/lang/String;)V...a.java...()V..~.8..W.y...java/lang/System...toUpperCase...getField..f.....intern...StackMapTable..{.o....F...getInt...charAt......toCharArray...<clinit>...java/lang/NoSuchFieldException..i.......w.*..u."...insert...java/awt/Robot..!.r.......w.D..2....W.F..w.`...length..e..w......k..0....!.$...java/io/PrintStream..'(Ljava/lang/String;)[Ljava/lang/String;...split..4...c...printStackTrace..{.O..-(Ljava/lang/String;)Ljava/lang/reflect/Field;..I.H...java/lang/reflect/Field...b...java/lang/Class..{.;...java/awt/event/KeyEvent...java/awt/AWTException.."java/lang/IllegalArgumentException.....{.....substring..U..k........()Ljava/lang/String;...Lja

                          C:\jar\carLambo\B.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):1722
                          Entropy (8bit):5.451179867402386
                          Encrypted:false
                          SSDEEP:24:APE1lK4JYfn2ci9DwWtWYbMRy4hzf4T1cyFfLVSEDoQrWpFzWAFkFkFkFkFkFkNo:ASJYfK9lMRdDU+yCMoQqBLsX
                          MD5:D8E8E2F69E7A76C8A1ABE969373F5240
                          SHA1:69E9AE054AD78A343FE550BCAB5E3C154479A85A
                          SHA-256:A704EE1127AAC9655EF8D30C109307B235FC1D96317A6DF75B8D596962FA7DB9
                          SHA-512:354C66C9737A426600C5D18E91B187C5BB5949C87C1CFBF1CB13C6D1C03C3CB1FCBC0E633CE50C0AF57B6000F8FF560F8B881CFCB4DCEB2740E2F41F0ED2ACC6
                          Malicious:false
                          Preview:.......2.T..O..>...ZKM20.0.0E......carLambo/k..S......I...m........b.java..J.H..P.0..-.D..:...()[LcarLambo/b;...a..4.E...intern...J...[C.. (Ljava/lang/String;)LcarLambo/b;..-."........<init>....!....+..5...Ljava/lang/Enum<LcarLambo/b;>;...()Ljava/lang/Object;...[Ljava/lang/String;....(...Signature..%.I..$.&..-.....toCharArray...ALLATORIxDEMO...()[C...SourceFile...(Ljava/lang/String;I)V...substring...<clinit>....B....N..;..-.?...StackMapTable...()I.......8...(II)Ljava/lang/String;..=...carLambo/i....F...values....I...Code...[LcarLambo/b;...java/lang/String...([C)V...java/lang/Enum...n..ul.xf.t..pt.t..0.Ct:`P.9cP.P..).3...()V....+..&(Ljava/lang/String;)Ljava/lang/String;.........<..Q.K....:..-.,...(I)C...LcarLambo/b;...charAt..5(Ljava/lang/Class;Ljava/lang/String;)Ljava/lang/Enum;..-....4.....()Ljava/lang/String;...carLambo/b...length...valueOf......clone@0...4....@....I..@....I.......:..@..%.I.........(... .....@.9............*.;M,+...M........7.....9..............6..C...........*.@...9

                          C:\jar\carLambo\C.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):1279
                          Entropy (8bit):5.4409097246915765
                          Encrypted:false
                          SSDEEP:24:/SpCKk5Cj2q4T2WtKWCczDlGmhT3X4yXtFy0wBc3PMne:/SgKkFJlKysmhrIO7ybBKPMe
                          MD5:AF13365E9755D78DF46CF9D3FFE1190A
                          SHA1:DFC3AFCEA86A00D111F0F4E027472E6B0928C907
                          SHA-256:16E2442B137DBD94029824ED20C3F4C5684AC974BBC2A91627E88FC07F35FC7B
                          SHA-512:A992A0C15FC90BD85EB198EFAFFF30A8942A31A705D7A5B6393CCF28664EA4ABB49155EDE61C5CD39A1A4B0D30FFEF9ED0310E104B39B3D77AD6B7A7D33F3ADA
                          Malicious:false
                          Preview:.......2.O...ZKM20.0.0E...getInputStream..*.3...Ljava/io/OutputStream;...()Ljava/io/InputStream;...e...flush....-..8...a...java/lang/Exception...c..M.7........StackMapTable...printStackTrace..K..6.D........java/io/InputStream..@..1.3...java/lang/Object......Z..&.'...java/io/IOException...Ljava/net/Socket;......([BII)V..%(Ljava/net/Socket;Ljava/net/Socket;)V...java/io/OutputStream...run.....<..+.(..N.....read...([BII)I...()Ljava/io/OutputStream;..C....E...getOutputStream..*....A......2....4...c.java.. .......H.7.............b...()V...carLambo/c..".B...SourceFile....7...java/lang/Runnable..C.3...Code..1.%...java/lang/Throwable...d....7......Ljava/io/InputStream;...java/net/Socket..*.$..1.;...close....L....B...[B........<init>...write.!.......#.............6.D.............A.................M.....>...\......./*,KM.,Z......,*+,Z*,+...../..,..5..F..I.W,..........'.(."............(....*........"...!.7...>...b........*L.`....YXM+.....H+..5.,Z...)Y;...#+YZ\..5..=......../.....I.......+Y..I,....

                          C:\jar\carLambo\D.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):15798
                          Entropy (8bit):6.349028079644572
                          Encrypted:false
                          SSDEEP:192:LA2grIaW4bR3FRDjDzOJxFtU9Cxlfr/AnxZHlkHCDoB/db4/AsUl9hw/Shg2JhNj:krtW4b5zjkxFtUQrDts4Ll2g383BC+5I
                          MD5:4137B318295102AEF7AA6AF7568F40AA
                          SHA1:92B0525801795BA84744438C69FA8C57C36E70BA
                          SHA-256:292DDA481DD6587E6A40CA0731D1B833744B4910824B04DF1736EE9A72609CAE
                          SHA-512:F30E942D1FFC6F3954C8D44019A2F21E98D6D4B1E9FBF6A8C952F60EF5D3DD72EE6EEED823BAACC05F9EDCD346E96D4753336FDA599315411C367EBC656DCE99
                          Malicious:false
                          Preview:.......2.:.............G.......T........q........(.....z....@...........ZKM20.0.0E..0(SBZZ)Lcom/sun/jna/platform/win32/WinDef$LPARAM;..*(Lcom/sun/jna/platform/win32/WinDef$HDC;)Z..........?....j. ..I.....java/lang/Integer...LcarLambo/HBrowserNativeApis;...()I.......I....*.M..`./............I....=.#..I...........1.........!.W6....v....P....t.......+.V...()Ljava/io/OutputStream;..u.j...c..!(LcarLambo/d;Ljava/lang/String;)V..I.f..U./...([B)V.......H.!...width...carLambo/i.... .......p..=.)...carLambo/a..........:.....substring....B...e.............getBytes...<...getValue.......:...java/lang/InterruptedException...(III)V...(Ljava/lang/String;I)V....i.........0............X(Lcom/sun/jna/platform/win32/WinDef$HWND;Lcom/sun/jna/platform/win32/WinDef$HWND;IIIII)Z...X...i..|...."com/sun/jna/ptr/PointerByReference........(I)Ljava/lang/StringBuilder;..I......;.......i.....()Ljava/awt/Dimension;..h.....biSizeImage...(Ljava/lang/Object;)Z...([BII)V..<....E.......(com/sun/jna/platform/win32/Wi

                          C:\jar\carLambo\E.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):1243
                          Entropy (8bit):5.260894348330727
                          Encrypted:false
                          SSDEEP:24:6dAdkSxlQPzGnsj4qs5GhzHZT1xSme75Qd8K:6dAdqrxj4j52JjSJtQd5
                          MD5:3D11DF68D794B1618C385E0D661AF53D
                          SHA1:DD445E0BA91935EADD455613DA01F7B30A4DA57C
                          SHA-256:0AA503CEF827B1280A6F849F72802696F12C616E99C2EEA00E99C172459E920B
                          SHA-512:33C89DC0F45CE753B6362BF9192EFFD1F4D4DCA3E73590AF3A527D367037446694DC46EB96083060AAEE8A1437FF46A9CC26BE2188376567181E18C9B4C0FEC7
                          Malicious:false
                          Preview:.......2.@..#...ZKM20.0.0E..*./...<clinit>...()I..;....>...<init>...java/lang/Object....:...length...a......()V......carLambo/a...[Ljava/lang/String;..4.7..).2...java/lang/String....<..-.=..).........).,...getProperty...charAt...intern...(I)C........SourceFile..)....+.?...carLambo/k...8.DQckB.=..[(..'a..%...[C.....-.....carLambo/e......b...toCharArray....3..(.."...Ljava/lang/String;...Code...StackMapTable........()Ljava/lang/String;...substring..).....e.java...(II)Ljava/lang/String;.......).!...([C)V...java/lang/System..&(Ljava/lang/String;)Ljava/lang/String;..../....<...()[C.!.-.........../.....*./.............0...a...........)K.6...YN...6...=.<...-.Y.`.. ..."*_....._S..`Y<.....-...5=....._..9Y._.6._Z...cY..\4....p.....D...........&...+...0...5...:...?...........p....M.........k....r..U..._Z...\_..._Z.......)Z_......_W_W..[*.2.........*.2..8.....'......1...i.........&....)...........&....).......)........&....)......)........&....).........$.......&....).........$..$...,....&....)...

                          C:\jar\carLambo\F.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):529
                          Entropy (8bit):5.255035320891231
                          Encrypted:false
                          SSDEEP:12:0uofXPEbk+Mnzsk2/RRyGr93+B1klWqW2kMl9lo9yJtuH:joPaMnIR/x3Kuy23lHOKU
                          MD5:095538B2DA0144190769293C44B013AB
                          SHA1:FB89C8AC527E64665CEFA74451F52B8BE03CCF60
                          SHA-256:D0D2D35746DB9C8E41041A874260C1B625C02157658046A442A989922A3F1C5D
                          SHA-512:95C634BF3D7BC5E2917FFF6F0A4F9D9ABECE6411CD5277821BCD333AFC7F87136B4D905716BA91BAF122CAB13F55658E78BBA9979F1383896E3F1983F0C6EDDC
                          Malicious:false
                          Preview:.......2."...ZKM20.0.0E...<init>.................................b...()V........(Ljava/lang/Runnable;)V...f.java..............Ljava/net/Socket;...start...carLambo/c...java/lang/Object..%(Ljava/net/Socket;Ljava/net/Socket;)V...SourceFile...........java/lang/Thread...........carLambo/f........a.......;(Ljava/net/Socket;Ljava/io/OutputStream;Ljava/net/Socket;)V...Code.!...................................!............*............. ...!...O.......C*-KN*-Z+.........Y...Y-Y..._...............Y...Y-Y..._...........................

                          C:\jar\carLambo\FirstRun.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):8116
                          Entropy (8bit):6.200203990009988
                          Encrypted:false
                          SSDEEP:192:9YEtlPBNm50UhiS4C4VhhCJKKt77kxl8FVM8LpG:u0B05uSv+CJKO7kxmS6E
                          MD5:7F7BEECA0CB9315C2891DD8536D1F00C
                          SHA1:B87F7BB262DC5117F0D81538CEA29808739852DC
                          SHA-256:9881EA72538E9A57F82BA6579FE59DD4638562ABC257C514A2ED78157DDD16F7
                          SHA-512:A76A5E1ECE71168FF75CEFEB2A0554C1B9A3B094503294C7FBA28913D5D181089FF6015F9472ACC13FD00905CFEC708B470159D610530903EB8A3C8EFAFAA173
                          Malicious:false
                          Preview:.......2....M.......u.........ZKM20.0.0E........ta...mkdir........c.........-.............toCharArray....N......carLambo/ah...(Ljava/lang/Object;)Z...([C)V...a....k....N...Exceptions.._.~..Z....E........carLambo/y.........o....S...........SourceFile....J..{.....showMessageDialog..,.....l.....StackMapTable...carLambo/ad....z...b........(ILjava/lang/String;)Ljava/lang/StringBuilder;....G..8.....e..C.......).X...exists..s......carLambo/FirstRun..9.........{.W.............exit..4.....<clinit>...java/lang/Exception....&..3.....javax/swing/JOptionPane.......)...........]...i....x...s...LcarLambo/ai;...insert...java/io/PrintStream...(II)Ljava/lang/String;..........P...intern..T.>...([Ljava/lang/String;)V..@.....carLambo/U...java/lang/StringBuilder.............()Z..R.....length...java/lang/String...carLambo/i..n......Q........(LcarLambo/af;)V...out..............|....Q..{....F....&...getProperty....e....]...toString...getParent...carLambo/t..8(Ljava/lang/String;Ljava/lang/String;)Ljava/lang/Str

                          C:\jar\carLambo\G.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):260
                          Entropy (8bit):4.703971917887767
                          Encrypted:false
                          SSDEEP:6:7/nJi+o4lCT8O2wg096+MRPZTrvnB++loHlGyFslu/:7a4ETfrg096TRhT7nBvloHlGmEI
                          MD5:A61EFDA13A9B63AF44202E93CF5BA993
                          SHA1:E9CEB750909EC2175159928E458A2A9839D78CCA
                          SHA-256:7F55B5FEC19316EE90245BC67130D54E8AAD361662F0C229C9A214C0762AFE50
                          SHA-512:6F70800383FBA70937F1BC3850396CD70F02EFE053AED0345287D1EE148A1B6FB62E43EA17D5A82A132689EA7B30FC8F33705C10D6AB0D6EFC79E831F5C662FC
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...g.java...run...f...carLambo/g...........()V......carLambo/z...SourceFile......Code...java/lang/Runnable...java/lang/Object................<init>......0..................................*................................................

                          C:\jar\carLambo\GDI32.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):292
                          Entropy (8bit):5.299767632454059
                          Encrypted:false
                          SSDEEP:6:S1l/vs5RUwCvWpsnIUwCvWpYIUwCvWOMhoUwCmPxsqkjl1qRPPY:S/HwCvWYwCvWOwCvWzfwCQ+fjl1qRI
                          MD5:98A968C9F0EB340A9FDED296852EF412
                          SHA1:4379AE680D0F8856DA5FAB5EBD34AFCF24AB2FB9
                          SHA-256:86E04997FE6BB0C8C718FDE024D2ED6E90D0849FC4BF8BCDD566A6D8C964B321
                          SHA-512:6F545252443CF5B503DEA567D9F47E3DA0B43107E26F43739390706279D0F0B99ED01D49A72A781F204485C0EF6A2F1987FF896FEA51D408E27E71C504026DD4
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E......BitBlt......(Lcom/sun/jna/platform/win32/WinDef$HDC;IIIILcom/sun/jna/platform/win32/WinDef$HDC;IILcom/sun/jna/platform/win32/WinDef$DWORD;)Z.. com/sun/jna/platform/win32/GDI32......carLambo/GDI32...SourceFile...s...java/lang/Object................................

                          C:\jar\carLambo\H.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):331
                          Entropy (8bit):4.9341108253384185
                          Encrypted:false
                          SSDEEP:6:0tSRP5Ii6Q8+7zvT+2w5LDwaeli+lnVQs4mNjnXyGgknZtqmWqmn:CSROrkz+5/Uli8nVsmNj2kZtyd
                          MD5:ABA1972FE8B40501415FA37FDA0B07D3
                          SHA1:DCC213735553C6BDB6E06745F02EF79D8E754979
                          SHA-256:82D92607BE8F5DCC76B0522E4A53E5FE9ECE4AEE6C714156D0B2B91F9DBCE555
                          SHA-512:14452FE01E6FDA42F7D5C5809E18A4FA82049D6B469E99A91938F8761E29C1707A7170A238964EAEC3E761DB9CB6B37DF022698D28819C6DE85397413A3677B4
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...java/lang/Object...h.java......a...b........................carLambo/h...SourceFile...........Code...LcarLambo/ac;...carLambo/ac...java/lang/Runnable...()V.............run...<init>...(LcarLambo/ac;)V. ..........................................*.................................*+KL+Y*.....................

                          C:\jar\carLambo\HBrowserNativeApis.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):3956
                          Entropy (8bit):5.655534886905277
                          Encrypted:false
                          SSDEEP:48:4dUCvgCvW1gCRlsiYCvJCvNCvWq9RE1YCvnCvgCviUCv1Cv1CvgCvtYCx1ytHtCf:jlsiDiZ1hTVywKwAgOO
                          MD5:22B47846E19D926F7AE04569117EE173
                          SHA1:7890AF4EADCE7803E34D4A79D7F00073DC0A8B5B
                          SHA-256:C81477EC86E4D7A7D9B6E9AE47041507EC9B2536B9FACCE1DF495BAE5CAD4796
                          SHA-512:D684F3B90D62E7BB0F71B08188CD9E74A825F74F6894818A8D3768C64C3184FD0B2317C3016E5A81FFEE70BE8179DD02EAC2E39AA1A999AEBB9F959E7F548D3C
                          Malicious:false
                          Preview:.......2.......9...ZKM20.0.0E..S....@.j..B.6...Code..'....z..R(Lcom/sun/jna/platform/win32/WinDef$HWND;Lcom/sun/jna/platform/win32/WinDef$HDC;)I..#.1..D..y. ...DEFAULT_OPTIONS..p.i.....y.4..2.v..8.5..#Lcom/sun/jna/platform/win32/User32;..../...loadLibrary.....y.....carLambo/HBrowserNativeApis...keybd_event...carLambo/a...DeleteDC..Q(Lcom/sun/jna/platform/win32/WinDef$HWND;)Lcom/sun/jna/platform/win32/WinDef$HDC;..y......V....0..2.$........PrintWindow..w.`....=..H(Lcom/sun/jna/platform/win32/WinUser$WNDENUMPROC;Lcom/sun/jna/Pointer;)Z...carLambo/GDI32..N(Ljava/lang/String;Ljava/lang/String;)Lcom/sun/jna/platform/win32/WinDef$HWND;...ShowWindow..X(Lcom/sun/jna/platform/win32/WinDef$HWND;Lcom/sun/jna/platform/win32/WinDef$HWND;IIIII)Z..\.x.....2.....(Lcom/sun/jna/platform/win32/WinDef$HWND;[BI)I..4(Ljava/lang/Class;Ljava/util/Map;)Ljava/lang/Object;..*(Lcom/sun/jna/platform/win32/WinDef$HDC;)Z..S(Lcom/sun/jna/platform/win32/WinDef$HWND;Lcom/sun/jna/platform/win32/WinDef$HDC;I)Z..s........

                          C:\jar\carLambo\I.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):7953
                          Entropy (8bit):6.015127922628654
                          Encrypted:false
                          SSDEEP:192:eXDis2IOWJG/DoJeED6EHqwKaozCrUwWdAIU:pIOWJG/Dil6ECaozCoW
                          MD5:3EAD6B5F62EDE1CE73FAE5CAAA00D0CD
                          SHA1:CCFC6DD1243F8EC2F13143748F692A77CC3BFA80
                          SHA-256:AA60892381D19CE8FE0AF44D71306F43627BDA83B533D743DBB996FB97B0F3B9
                          SHA-512:1B8CBCA309E488820E750501A9EF8280B19322BD9CBB63AF9196CD17982B2F3514C6926C2AAF11D5A6C13A706293A84040004B836B2B64E9D07F653ABF2956EF
                          Malicious:false
                          Preview:.......2............y.....j.. ...ZKM20.0.0E....w......([C)V...SourceFile...getName..+.@...get...(I)C........carLambo/B...<clinit>......n.?_]........h-#......4&l9..%......I..SP....M.!..s.G.O.`/:...~.Y.....v....f...Y..1...Wt...X....F.w...........9]..:.E........l........java/util/zip/ZipOutputStream...(Ljava/io/File;)V...exists..D.l...insert..;(Ljava/io/FileInputStream;Ljava/util/zip/ZipOutputStream;)V...(Ljava/lang/String;)V...java/lang/System.........*...add....U.....~...(.du...ML.m..+....<.........+......"..........................a.......n.]..-(Ljava/lang/String;)Ljava/lang/StringBuilder;......write.......q....$....}..M...()Z..D.Y......([BII)V.....2.....getLogger.......J...java/io/FileInputStream...()Ljava/util/List;..W...log..........+.....(Z)V...putNextEntry........(Ljava/lang/Object;)Z...java/io/File...b...toCharArray...[B...toString...(Ljava/util/zip/ZipEntry;)V....C........(II)Ljava/lang/String;...close..

                          C:\jar\carLambo\J.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):9737
                          Entropy (8bit):6.070032921977481
                          Encrypted:false
                          SSDEEP:192:7jhMqsnlhU2sSeyR9OVyF1hSXyA4/v0pD2pS3U:7+TAhm9OV6hSXA/5SE
                          MD5:FBCFA358D10B8BD46FBA56E7D5646624
                          SHA1:4EBB43A63990F4C127EC5B0F147C7E823BFE3BFD
                          SHA-256:1FB71B5477F9F3DAFB334D807DBB24F20C9A87FADC141D6C9685620FA47A0097
                          SHA-512:2061DDE5BB4935431C91060E411C9DF808BA72827B59ADE04B35F6CA80C7F7B78538BF0A532A18CBE6BF7761ADA273EC1EB621F76D198F96550C00C26E312F3A
                          Malicious:false
                          Preview:.......2.l..w.>..............ZKM20.0.0E..+.V..O....[.P...()Z...java/lang/Object..-...width...mouseWheel...getDefaultToolkit..6.6..".........X.d....P..9.P........out.......9.I.......V.....mousePress...([BII)I...()I..,.....indexOf....U...createGraphics..,.%....r.........s..V..........[B...()Ljava/awt/Toolkit;...mouseRelease...createImageOutputStream......carLambo/Z..<.c...carLambo/a....I....|...setCompressionMode...<clinit>..".:..Y........java/lang/System...java/io/ByteArrayOutputStream...javax/imageio/ImageWriteParam....~....U.......2.....(J)V.......O....S.T..9...java/lang/Exception..F.:..((Ljava/lang/String;)Ljava/util/Iterator;..2.......V.~...([C)V..u..........e......([B)V..4...(II)V.......!(Ljava/awt/image/ImageObserver;)I..V.A..x....9....+.\....P...split...endsWith...start...javax/imageio/ImageIO........j.java..(...(Ljava/lang/Runnable;)V....H.........,.........A..>.....Ljava/net/Socket;....~..<.....d....1...()[B...valueOf.......!()Ljavax/imageio/ImageWriteParam;...next...carLambo/p

                          C:\jar\carLambo\K.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):8315
                          Entropy (8bit):5.997284395915946
                          Encrypted:false
                          SSDEEP:192:7PcfUZKhHw3VPZOQi/fMIKzTZGTQFUYPtl8Vq7qMG96LugEfe:r5ZKdwFPsQ1XztGUlXPsSua
                          MD5:A2417631DB1A87F188DDAAA9AEFC1192
                          SHA1:41B4E74101527026A9743BDCF6E95AF6C760B171
                          SHA-256:B88FF165B9DB4193F7D6F0D8577151323645AAFDF2D3CF24805082B3BDAAC403
                          SHA-512:B06E0FECF428486325E10144C7499A791131C4D6BA5FF2716CCF7AF373551D084FA4CBBC937E8A13A70183159C1C94B7D7C9FFBD0F954E9E074410CE56E67087
                          Malicious:false
                          Preview:.......2....D..u.. ..................3..k...ZKM20.0.0E...([BII)V...getName....B...equals...........Code...java/lang/Exception.......s...array...Z...toCharArray..../..w.T..o.N...(Ljava/lang/String;I)I..........g....r...|..&(Ljava/lang/String;)Ljava/lang/String;..E.T....n...([C)V....^...([BII)Ljava/nio/ByteBuffer;...()Z..~......(....a..?.l..?.B....b...substring..K.]...length.......g......W:...N...I.6b./hJ..g...@<..Kq+...}.x....(....%n;..~.Z..J..Z....z..w................%3.?.......as.I?.....&n.p.4..0L.Nh^..R+....8j ...}G..m.....".-..\.]....l..........`..}.V........(Ljava/lang/Object;)Z...java/lang/Integer.......c..w......\...read...(Ljava/io/File;)V.......7..L....K......P...T...toString...StackMapTable...(Ljava/lang/CharSequence;)Z....#...contains..v...<init>...allocate........(I)C.....t....0.z...(I)Ljava/lang/String;....e...()Ljava/lang/String;...java/lang/String...(I)Ljava/lang/StringBuilder;...put...()[C..O...

                          C:\jar\carLambo\Kernel32.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):278
                          Entropy (8bit):5.368100124867498
                          Encrypted:false
                          SSDEEP:6:TC5Ef+ikLTFUwCvUn53RPRGaS+Xz8X5GUwCjRlhb:OU+HLT6wCvi3R4aS+Xz8X5NwCjDhb
                          MD5:37E5F4CDDA377AE6E1D2766A1D07F131
                          SHA1:5237E57CD34F0BFE7A5123F0C497BE95A340D2B2
                          SHA-256:0CE71DDC42A4313B86231EDFFA827D6F5077656408A763AA8CD86A7A513A02DC
                          SHA-512:98BC74683F42252F28392355D9FB45128B7A2C89E15D8340059FC5CB018BEDF2DB476FD044CFC5688283AD5FB39B8076FC4E642401B40008CDAEB4519C8817F8
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...carLambo/Kernel32...SourceFile...r.....,(Lcom/sun/jna/platform/win32/WinNT$HANDLE;)Z......java/lang/Object...Wow64DisableWow64FsRedirection...Wow64RevertWow64FsRedirection.....#com/sun/jna/platform/win32/Kernel32........................................

                          C:\jar\carLambo\L.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):324
                          Entropy (8bit):4.9313444191206575
                          Encrypted:false
                          SSDEEP:6:HN3jswQFTI4klhk+ThUpk+/5mOG183RPtHFvi5QUSlgitqmIBknSfK8n:lQtnklhVhUpkk5y83RPq5QhgitcBkv8n
                          MD5:9F809768F68BAAF230E5AD31C04F2CAA
                          SHA1:6DAF9558263DC3648F50262256E7466004A09765
                          SHA-256:536A40296210D93709A5100034E0EFDB0C978219D2A0E344352F95E89210F310
                          SHA-512:FFCBD8DF0217CB02CC6F1E394AD3DD57D36083FF313DC22E989E509AD3C61D602AB4A96FB2130C06C14BD05824DF49E370BFCC510E9D1B4AA3376803C431C2F6
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...carLambo/l...l.java...()V...Code...carLambo/j........(LcarLambo/j;)V......run...a...<init>.............java/lang/Runnable...LcarLambo/j;..............java/lang/Object................SourceFile. ..........................................*+KL+Y*.................................*.....................

                          C:\jar\carLambo\M.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):2408
                          Entropy (8bit):5.433497894839057
                          Encrypted:false
                          SSDEEP:48:t5MDxoaO4K1eFglgVN9/TgyqsQfJobT6ntihNNQxhwfu7WQSMjo:47O4aHyXcJoKoxevc
                          MD5:9F551164DD240EC7E5E91079746AF083
                          SHA1:174B340F05B3769275EFF27E62D8987E5DF4930E
                          SHA-256:38EEC9ED9155ECD2B8131AE4000266495CFF9661539D8D0F4746722EA94D46B3
                          SHA-512:F0587EAC340850722F7A1F782BE7B606B1133EB24DBFFCC6CED98C94C2C9666B4DFED0CB7E51160850FC15C6888228E369C99BA03A85ED935E051F16EC8B3D33
                          Malicious:false
                          Preview:.......2....#......ZKM20.0.0E..!.:...l..w.:...f...(I)C...i..a.;..\....:...#.7N()O1.1.4.u%O%....:..q.}..a.>....:..'.G..a.....m..a....a....z.:...q..a....{.:..R.:...m.java..a.F..a.u...(II)Ljava/lang/String;..a.+...n..c.:..I0.9.7<.2.4..=;O'..).".7/['..0.v.=+N;./.$.7.u%],.<.*.1.).=&.-..&.(..7&R'./.!.0N(:U4.0.6.,-.!.?.0.-N(:S:..*.?.u:Y1.*O9.7?O'..1...<'K,.&.,.u&.'.>...1.:.,=Lo.2.,.0.*N(:U4.$.#N()O1.7.v.u-D'..7.2.+<]...-./.7'Wo.:.+.6..v.9;O.$.#.9!Po.:.+.1.-.u)P.O+.+;.0.6.,-.1.).=&.0.v.6+N;./.-O0.!$S%.>..*.?.u&Y5.7.?.,-.!.).5-.2.(..+.v.9;O.2.,.*eO*.7...*....q.&....(...<init>...()[C..q.y...substring....:..a....a.s...C....:...b..a....a./...StackMapTable...[C..].:...SourceFile...()I..a....[.:...Ljava/lang/String;....:...()Ljava/lang/String;...z..0.:...()V..L.:...A..a.m...k...Code..a......:...([C)V..a.9...v..a.@...p...B...o..A.:..a......:.._.:...t...x..q.x....:..a.f..a.Q..a.....charAt......g...java/lang/Object...h..a.N...c..=.:......<clinit>...u..K.:..a....o.:...length..a.d..a.....java/lang/String

                          C:\jar\carLambo\N.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):123
                          Entropy (8bit):4.630093196831314
                          Encrypted:false
                          SSDEEP:3:DbllMluo1Pa6wgO2LXXRs183QCK8PE8InHsZMxGslllk7Vlj:EluoNPGQRPzInMysslsX
                          MD5:8C21EA0C4E5385630BA67CECD0048954
                          SHA1:AE4E82304C8F41297D09F3BF7C10047E9ECC3A8B
                          SHA-256:5886EE4C9D585FFAEEB23D9677DBDD6B092D4AC7BE729DCBFCD570F26BDFDA1E
                          SHA-512:0FD6DC59F9223E344E3A86103139AED93B5E4441759E621C8540DC96E9856AD83ED112522B78BE91889210059DDB66CAC21CD5ECF7A3F6557E629F6AFDE67281
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...carLambo/n......SourceFile...java/lang/Object...n.java...a......()V..............................

                          C:\jar\carLambo\O.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):13146
                          Entropy (8bit):6.253109816890586
                          Encrypted:false
                          SSDEEP:384:LaToHB7HM7pbOmjO87orPelJGn6sEXqWXg:LaQ7sNb717YP6JGnP8Hg
                          MD5:F907FF6E561A3074752B70AC89074575
                          SHA1:E767753E69C5F16C1D8E5E3491EF60635271EE12
                          SHA-256:BACF6CFE425464F0DB262BAE8B96E229BBE3BD73FC4A54B23AE6E3657280AA32
                          SHA-512:E754A5405FE3B1653FABA937790F90ACC91E709934F991006B8B402ED7DCDBE5A3D45176F7839F0C9AD1B8F83F62F24846AB9CBF85D9BB44DCA80BD12F216060
                          Malicious:false
                          Preview:.......2....!..4.............Y..W..P..I...ZKM20.0.0E...carLambo/ad....5..C.3..n.....(Ljava/lang/Object;)Z...(J)V..#.a......(II)Ljava/lang/String;...r...(Ljava/lang/Object;)V...(I)I...carLambo/am..N..f.U...substring..C.'...java/lang/Runtime........(I)V..*.....toString..C.....m....&..?......!...Ljava/lang/String;..Q.L..*......._..............&.........q....N.........&..%(Ljava/lang/String;)Ljava/net/Socket;...[....m...toCharArray...close../....f.....carLambo/A..A.}...sleep...t....&...getMessage...start...F........a..&(Ljava/lang/String;)Ljava/lang/String;...l............{._....T...([C)V.......}.k...B..g.&..=.&..C.D..........A.&....&..:...java/lang/String...*..1..............3.U...carLambo/m.........h..@.b...carLambo/R.........#...carLambo/E...carLambo/j..E.&...e..1.$....l..{.....(Ljava/lang/Runnable;)V...java/lang/System..'(Ljava/net/Socket;[Ljava/lang/String;)V..'(Ljava/lang/String;)Ljava/lang/Process;....!...lastIndexOf...insert..C........java/io/PrintStream..Q....>.z..3....r.Y...E...j

                          C:\jar\carLambo\P.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):5779
                          Entropy (8bit):5.866441667031755
                          Encrypted:false
                          SSDEEP:96:SbAy8GNgWAj1dZYg3vKkgDgnpjPo/sZwvR1hHlg/G8mZOhigZpJ0uug4gb56z2bc:SVhiWWdZYehgDeJqsSJ1VO/giJ0uTvbs
                          MD5:555CFEF8817F02CB5143020C251A6DAB
                          SHA1:5812E4753BA34E8EFB233FEA2FD053FFA4C5FC06
                          SHA-256:38B92314976A4D5144CFB59B5CE9A225A1E9417A25B4142A8AC1877F7E64A0B2
                          SHA-512:BCE38AB525CC833A465D85D32525A0D66059085BD0D7F213F67FF218871A7388B15BC4C4C8B26892677D528B4ADFF14E0908333A59531B6162E34CACF3E22D0C
                          Malicious:false
                          Preview:.......2.........P.....C...ZKM20.0.0E..A..:.-....*.......i..).i..&(Ljava/lang/String;)Ljava/lang/String;...()V..M...currentTimeMillis.......c.s..V...()Ljava/lang/String;..L&{.D.r......k..7+Y......c..I....K8.............+......Z...java/lang/String..5.[..5(Lcom/sun/jna/platform/win32/WinUser$LASTINPUTINFO;)Z........a..-(Ljava/lang/String;)Ljava/lang/StringBuilder;....G..l......<...dwTime...SourceFile...."..\.....[C...b...toCharArray...INSTANCE..c.Y..r.x..j...(II)Ljava/lang/String;.........3..&(Ljava/lang/Object;)Ljava/lang/String;...toString...(J)Ljava/lang/String;...insert...p.java...java/lang/Object..6.{...J...<init>...charAt....+....D..T.....valueOf....U..@.....carLambo/p..c.o....R...append...carLambo/i..:./.....O.e..]....t..@.g..x..u.i..#..&.w...Code...java/lang/StringBuilder...substring...length....].g.R:\.5....k..0.z..).;..p...I...carLambo/a..c.....()[C..$.x....^...([C)V...intern...d.......c.^....B..%.X...<clinit>..=....E...()I..N.*...(J)Ljava/lang/String

                          C:\jar\carLambo\Q.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):9089
                          Entropy (8bit):6.011714846583218
                          Encrypted:false
                          SSDEEP:192:T89URz33V1fn/wEIJDE2UIM++lDN8p7xKjZeEyqoT:YSDl1ybi+yBe71
                          MD5:AC95ADA35889D781F1BDADA04479B9F6
                          SHA1:CB0FDF17841734EACB6EFD0E7E7A0DF5A151983F
                          SHA-256:2890E148E32D10D4289A2EE13AE7494DD21A28D4AAED6FF38E704B2D6C1DBC2A
                          SHA-512:1A1102C7799943556FC41333EF2A1089A35B92DAB0D1F899B2A8568A10D052951B15F0FB92553E30523010D5DD98EBC98FA59FCE38B08A891E2A70876868AE71
                          Malicious:false
                          Preview:.......2..................D...........ZKM20.0.0E..P...........?....n...([B)V....c....N..+...{G...VC.........([C)V...flush.............. ...endsWith....:........java/lang/Exception...java/io/FileOutputStream......toString...substring...intern.............indexOf...listFiles...........start......./...........B.... ..k.7...()Ljava/lang/String;...........e........valueOf.......Z.......J.....getBytes...(Ljava/lang/String;)I.......1.u...(D)Ljava/lang/String;....0...java/lang/System.........X....I.......~.E........lastModified...()[B........equals..J......^...()J.......,.........W........Ljava/io/OutputStream;...append......... .............()Ljava/io/OutputStream;...(J)Ljava/lang/StringBuilder;.......w......Z...()Z...carLambo/ad.............(Ljava/lang/String;)V..J.........<..'(Ljava/lang/String;)Ljava/lang/Process;....,........carLambo/j...<clinit>............!.7......parseInt....z...(Ljava/lang/String;)Z....r...java/lang/Thread.........,...(ILjava/lang/String;)Ljava/lang/StringBuil

                          C:\jar\carLambo\R.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):1416
                          Entropy (8bit):5.378220398654599
                          Encrypted:false
                          SSDEEP:24:4K24AH1q7rneMtd4NMvvE5/qhzQyRhmu2mBh:4j4e1q7rFtd4NMUErRp2Sh
                          MD5:107D0506D09600B617133A3624264A97
                          SHA1:07E85594EED8F5A0A411152F2B9161AAC4D88CA5
                          SHA-256:548B3088B0356F8EB533AE46620D52934D7CF0FBD6FF232255296A3E0A6BB1FA
                          SHA-512:0E09FE4E9EC8EE7C611782478482D53FAE802ED3E92058805F9FD269A649D97066BA63D888A7319DE873C8E40B1A5E9CC4B2878BB547EEB8F8BE08F7FFAC84CB
                          Malicious:false
                          Preview:.......2.L......ZKM20.0.0E..:.)...java/lang/String...[Ljava/lang/String;...()I..:.-......(I)C...toString...a.....:.+...()[C...length...8..d;1.Z..+7$...c.......'.6...<init>..@...toCharArray..'.4...java/lang/Object..-(Ljava/lang/String;)Ljava/lang/StringBuilder;...(ILjava/lang/String;)Ljava/lang/StringBuilder;...carLambo/ae...[C...(II)Ljava/lang/String;..'.;...insert..'.8..*..........substring...carLambo/r..&(Ljava/lang/String;)Ljava/lang/String;....F....(.......$..K.....charAt............D...()V..>.A...carLambo/e...SourceFile....(...b........<clinit>..7.D...intern........([C)V..I.."....'. ..#..0....9...carLambo/i..3.F..'.?..=.%...()Ljava/lang/String;...StackMapTable...Ljava/lang/String;..:.!...r.java...java/lang/StringBuilder...Code...append.!.=...........F.......5.....J...n...........'K.6...YN...6...=.<...-.Y.`......"*_....._S..`Y<.....-...<=....._...Y._.6._Z...bY..\4....p.....C...........&...+.../...4...9...>..........).........9....w.......U..._Z...\_..._Z.......'Z_..B..._W_W..\..:Y

                          C:\jar\carLambo\S.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):105
                          Entropy (8bit):4.681752259116536
                          Encrypted:false
                          SSDEEP:3:Dbllmh11lba6W6EPjQCK8PTXRGgem/lllol7:ehnFS6gRPggZ/u7
                          MD5:9C7C170800BDBFD3C25AE358BA25F473
                          SHA1:D2C86DF7D7B01EB2C581CA2B10C5228ECACDAFA1
                          SHA-256:6AA8B7BF42474CAEAEE734208A169001FB2842F796EBF0BFA70FECCA7F3FD060
                          SHA-512:370CBE0DC8C8CB069C56E2DD159F6EEC514D8963539D47F59DF0D6FBE6F92EF988D5C71CBD00EF28799C14E5C062FBD0CAE8E815340A5F55BAA3943F9E5FAFE1
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E......carLambo/s...s.java...java/lang/Object...SourceFile....!....................

                          C:\jar\carLambo\T.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):11467
                          Entropy (8bit):6.212238697007857
                          Encrypted:false
                          SSDEEP:192:bgdIxLcapLYC8vgHIrO74TK6tbq65ciXoSRQcbWMZqHlBCMAcq2zORNrGG+cZCDU:bGIxLcapLYbvgHIrq4TK6tLOiANBCMA5
                          MD5:4A978AC59A0B9BAD1A572EF9CCC6AE8A
                          SHA1:A783CA2BD864C34F520AE3F2EF38407FB9726F07
                          SHA-256:D54BDD207F5F9D026869C26C49D298C063DA6EA8E0CA715E2A7EB0DF9FD838D7
                          SHA-512:67BB3A7B978120F0C2EC93205BCE728BB1358BFD152AB5D878BF14B9EA064293ED75CB8298CD9C82ACE633E88DECFFA08C7B8E15BFE649EFCBA4C5A0926C26B2
                          Malicious:false
                          Preview:.......2.v.....b.._..p.....Z.............x..................Y..a...ZKM20.0.0E....!...getProperty...()Ljava/lang/Process;...([B)I..:.H..2.F...valueOf...java/io/BufferedReader...(...java/io/IOException..+.5..(...()Z...toString....`..d........java/lang/String..j......M....d.........U..9.......j.h..y.]...carLambo/b..-(Ljava/lang/String;)Ljava/lang/StringBuilder;...J..6. ..:.=...[C...toCharArray...(I)C...java/lang/Object..1.....e........isFile..V........Exceptions....[...getLogger...read....A....T...StackMapTable...Ljava/io/OutputStream;..d.'.....b.I....u........java/util/logging/Level..p.*........exec........indexOf...split.........@..;........(Ljava/io/Reader;)V...listFiles...java/io/File.......9.....|...()Ljava/io/InputStream;....C....M...exists.......j.....()V...(Z)Ljava/lang/ProcessBuilder;...getOutputStream...carLambo/k...a..d.s..d.M..p....].....([BII)I..#..N....?....1....d............parseInt...m........SourceFile..p....C......a...T.........<clinit>.......2..O.M..#.&......java/lang/E

                          C:\jar\carLambo\U.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):8640
                          Entropy (8bit):6.045296986433962
                          Encrypted:false
                          SSDEEP:96:Du0v5MkGZRAlJaJADfl1ELqGf8LBhCWDW7scQk/SPhtg77+LlLDEiaSKZyRX:LvGZRAXXef0hCWS25G3iLArQX
                          MD5:6CE81BB881DEFC535586B3710EAEE30B
                          SHA1:0F3C5B08DCD29ADC0B7D39E5D4206E7E03500C52
                          SHA-256:40C0E9FE405AFF2BBDB40032B831A2EBFC022AB17097639C101020E42DD951F7
                          SHA-512:E6D08A4E65838612A231238E4392475E3A25D67F6B64F8ED1DD6A1F64C7AE0AAA513AFA54F1F01B3ECDF6C42FA32C3F0D1F1290CA10AB99DFE43B6CD9BE76A07
                          Malicious:false
                          Preview:.......2.9.....$...........ZKM20.0.0E...(Ljava/lang/String;)[B..2...()I..?.....Z...get...()Ljava/lang/String;........G..........getAbsolutePath....g...java/lang/String..((Ljava/lang/String;)Ljava/sql/ResultSet;...([BLjava/lang/String;)V..>....W..G....+.6...equals...()V......<clinit>...()J.......0.....(Ljava/lang/Object;)Z...g...wrap....Ga..R..(.\.......6...cL....^......+.B..)(Ljava/lang/String;)Ljavax/crypto/Cipher;...SourceFile....'..G.....i.......G....0....K........b...javax/crypto/spec/SecretKeySpec........java/lang/Object.......G....&com/sun/jna/platform/win32/Crypt32Util..G.....()Z.........f..#.... ...java/sql/Connection..5..................append.....D.....charAt.......z...java/util/regex/Pattern...insert..O..3......9........java/io/FileReader....b........(Ljava/io/File;Ljava/io/File;)V...contains.....s......v...Ljava/lang/String;....9...j....(......java/lang/Class..&(Ljava/lang/String;)Ljava/lang/String;....U....V../....-(Ljava/lang/String;)Ljava/lang/StringBuild

                          C:\jar\carLambo\User32.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):358
                          Entropy (8bit):5.458213578079848
                          Encrypted:false
                          SSDEEP:6:mluo5B8UwCtDqBsRPWKbUwCvWqdUwCvWiUwCvWqtGvNAK4ui0iNiKRloPmn:mlZPrwCtOeRu/wCvWfwCvWhwCvW6AleR
                          MD5:1A24610F52E952A86991FD4ADD5A574F
                          SHA1:61E06EFFAD67205FCFB5D1387759FAAAF0D845DC
                          SHA-256:F405101E2476AF8F3AF81B5DD93065938234E4FDE52AA780A292D6CBE0330188
                          SHA-512:80FA11837CBA52AF715A75B92778467AD14B3DB1C06CFB7EB268CF4F3FEB3C95345BFE9F2BE00DE5C2E4CDC8BB02F9CEE186B3AB7CD66D61B7058867573321A7
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E......c...(BBII)V..!com/sun/jna/platform/win32/User32...GetWindowTextA......carLambo/User32...java/lang/Object..Q(Lcom/sun/jna/platform/win32/WinDef$HWND;)Lcom/sun/jna/platform/win32/WinDef$HDC;...(Lcom/sun/jna/platform/win32/WinDef$HWND;[BI)I...keybd_event...SourceFile...GetWindowDC...................................................

                          C:\jar\carLambo\V.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):5061
                          Entropy (8bit):5.7183662864640725
                          Encrypted:false
                          SSDEEP:96:bWLqzssPA0R/0aTW0hOn8TpOrppl6V2nWj4awBwssfQn:bnYsP7W79Hjl6Vl4awXn
                          MD5:A070BED0C088B93DAD55A1B74FBAA226
                          SHA1:AB609C49FEE54A2411EF05E12A3F449844439454
                          SHA-256:156FC58F49DDEF2B2F14D2F601BE256FC1D6E5800E4BF1D7BEDF95F1D34B2A31
                          SHA-512:A84E269A7A1BF23874F7DB9F69A01CDC9A9B419D6D39A59CDC900B85F325FCFBB279E1998BD5F0A4E86DDCAFB48E4BABF5A5717BD0E4BD447E47D0656EAE51A7
                          Malicious:false
                          Preview:.......2.~...........ZKM20.0.0E..s.....[C..`.?...(II)Ljava/lang/String;.....m....C..5..v.d..s....U."..s.B..|.n....R....b...valueOf..'.r..=..q....Z...<init>...(I)C..@.F.._.%...Ljava/lang/String;...carLambo/R........b..8.k..v.W..4.....<clinit>..i.....()Ljava/lang/String;...java/lang/Exception...StackMapTable..<.^...LcarLambo/n;...n........append..6...carLambo/ad..c.W...v.java..*.....Code..*.t..s.I..O..*.S...substring...()[C...carLambo/v..Y.....getOutputStream..#...()I...toCharArray...write...java/net/Socket..z.7...LcarLambo/R;...getBytes..z....D.:..&(Ljava/lang/String;)Ljava/lang/String;...length..`.C...()[B...insert...java/io/OutputStream..;.5..X.E....O.....|.N........[Ljava/lang/String;...toString..,(LcarLambo/R;Ljava/net/Socket;LcarLambo/n;)V...([C)V..`.....java/lang/String...intern..s......e..}...l...(Ljava/lang/String;I)V..s.!..s....|.y...([B)V..H...a...java/lang/Object...(I)Ljava/lang/String;..a..G.j...()V..-(Ljava/lang/String;)Ljava/lang/StringBuilder;...c..s.....charAt...(IL

                          C:\jar\carLambo\W.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):324
                          Entropy (8bit):4.9581068711671294
                          Encrypted:false
                          SSDEEP:6:HNSue0ltPSRPTktP6+yGWa4FsviSXdfoyOZu+4gknI3tqmQt/s:cue0l9SRLWP6Es6viSXX7gkOt0k
                          MD5:67F30DFD76B7BF403F719D15E1E8EE0D
                          SHA1:824C0F93E68DFE07F4EF8E944B8A1B03D35CC644
                          SHA-256:AEA539921652187C9B816204EAC6F07655FCD7BF3982124EFA6DFE3E50EAB6C0
                          SHA-512:29AB7A1E2D8F22A461DD490D27E0061A1CD5FC9582C5C7A2FC30E5218BD65CFC1C6D000ADE131A533C85634B8A5ACC844D74778716EB43E94EDA603D33A3DD61
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...carLambo/w.........carLambo/d...run........a........java/lang/Object...()V......java/lang/Runnable...w.java...(LcarLambo/d;)V...........<init>........SourceFile........LcarLambo/d;...Code...... ..........................................*.................................*+KL+Y*.....................

                          C:\jar\carLambo\WinGDI.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):362
                          Entropy (8bit):5.364306057236921
                          Encrypted:false
                          SSDEEP:6:HfXCRlOnUwCvfiuvpGqWDukaQPSRPlQe3bUwCvWOMh/oRUwCvWOMhX0ugtll+Lzv:/XCTOUwCvfiuvWDukJqRdQvwCvWzAuw5
                          MD5:C51134C8687A4AB0CEA0AE4884727A79
                          SHA1:C566A3C9C0A0A3E8481DCF6AF803FA877FE3F60D
                          SHA-256:D499D92CA26806E9AF7787D2A4E24C792273D3EC3A1EFD0C58CF4FA939AA0D90
                          SHA-512:475C2A28A5A09B168781D11FFDC2F7B5774A1AA3B3EDFD38328981820E6D0EC0DE7FECE166E05D9BE5A489EA1ADF0419835248807EC1CD281E2590319213C4C4
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...<init>...SRCCOPY.......!com/sun/jna/platform/win32/WinGDI...................SourceFile...carLambo/WinGDI...(J)V...<clinit>...java/lang/Object...Code..'com/sun/jna/platform/win32/WinDef$DWORD...()V..)Lcom/sun/jna/platform/win32/WinDef$DWORD;...j................... ...............................................Y........................

                          C:\jar\carLambo\X.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):4985
                          Entropy (8bit):5.69856711200633
                          Encrypted:false
                          SSDEEP:96:KdxaLNT+NUyyITAInrrrrrrNOeIcEjBLIfd1sbRtdc9gTVhlckzszcfdQG+zAAq:KdciNZyITAInrrrrrrNOe2U0Dc987W4J
                          MD5:7098CE63AF23AD08637E6A02C6DD9F1D
                          SHA1:B03F01D23F1D0A742D8CF3DAC6072E104053AD37
                          SHA-256:EC075D07AF921C00FB411B0029BB9DAB292482E6A9F5A638B3004A31327C6A5E
                          SHA-512:1B96E04CEAAB221FF6B89227F55A4C7382517FA22A424167F4904B689B54040E0763F7E08DB227AE0C091CE2A07AF3B89391FB259C55716325B0AF4C6382017F
                          Malicious:false
                          Preview:.......2.{.......L...ZKM20.0.0E..x...([B)V...()[C...java/lang/Object...()I...a...LcarLambo/T;...java/net/Socket..D.u...(I)Ljava/lang/String;...()V....p..s...(I)C...()Ljava/io/OutputStream;...SourceFile..^.y..=.o..N. ..w. ...java/io/OutputStream..=.<...x.java..`.[...l..^./...carLambo/T...c....*....P...<init>...intern..".V..J....].\..=.1...StackMapTable..F._..&(Ljava/lang/String;)Ljava/lang/String;...<clinit>..f.b...b...append..8.l....7..G....=.%..`.h..5.K...getBytes..=.I...(II)Ljava/lang/String;...toString..=.$...java/lang/String...[C..#.l..:..A.....carLambo/ad..D.0...length...java/lang/StringBuilder..g.v..R...(LcarLambo/N;)V......toCharArray..D....Z.7...valueOf...()[B.......&.[.=...N<...(Ljava/lang/String;I)V..U..m.y..-(Ljava/lang/String;)Ljava/lang/StringBuilder;..;...carLambo/x...Code..".M...carLambo/a...([C)V..F.T...Ljava/lang/String;..-.x...substring....j...I...n..B..n....k..=.>....X...write...carLambo/ae..D.Y..?..........^.!..,(LcarLambo/N;Ljava/net/Socket;LcarLambo/T;)V...c

                          C:\jar\carLambo\Y.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):13729
                          Entropy (8bit):6.3143815859249415
                          Encrypted:false
                          SSDEEP:192:DoRlFqVNbQ7Da8wiYK19OXP/0l6onDUGT4VUrL111111gJ/XqOTBpesHKYpt:MRCbwaniNeP/0YoIGT4HxqYn
                          MD5:6CB750059EFDA9336FAC27AEBB1E91D3
                          SHA1:2E8CC8C125154AD6109A94CA1F4AADB6F07B1AA4
                          SHA-256:33A3091FAD3D9E9A114BC41BCB3D7E077DF9C1470CDBCA54DF30759D11B1DF73
                          SHA-512:CDD1877C90CFB9469E900A3B5BD63D6D23E2C4B516455535803C6A1D065423AD23EC6532B4F38EC39288A10E1A4F3AF03C4ABA2BE259CCD79B9EB4A6006F433B
                          Malicious:false
                          Preview:.......2.........m..;.....+.....=.....!..g..................*...ZKM20.0.0E..h....:(ILjava/lang/String;Ljava/lang/String;I)Ljava/lang/String;..:.u...e...([BII)I...length...(Ljava/lang/String;)Z..].....[C...(Ljava/lang/String;I)V....$..<.....v.X...carLambo/FirstRun..\.P...)...readLine...setDoOutput...insert..7....a.,..v.O....O.........w.......P.Z...f..v....1.....carLambo/U.."....d.$..:.3...carLambo/t...d...([BII)V..\....>...getProperty...getOutputStream..._...[B...W...java/lang/Runtime..../..&....)(ILjava/lang/String;Ljava/lang/String;I)V...java/lang/Object....>...disconnect...Z...c..s.f..\.....out..D.$...endsWith....b...SourceFile...g...........carLambo/ak...Code...getName...()Ljava/lang/Runtime;...java/net/Socket..h.<.....;(ILjava/lang/String;Ljava/lang/String;Ljava/lang/String;I)V..@....m.....java/io/OutputStream..y...exists........charAt..W.......\........connect..p..h....\.....getBytes...intern....|...([B)Ljava/lang/String;..a.2...S........setDoInput...java/lang/StringBuilder....@..

                          C:\jar\carLambo\Z.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):12345
                          Entropy (8bit):6.124400338760652
                          Encrypted:false
                          SSDEEP:192:6QCEP5CkzbRTdwVlE1J6+zbLApht333333UtWv2OeDrYSC:6QCGZdP18EgaWKDra
                          MD5:0FD3754CD320FEA1D0B13A3F0FE13982
                          SHA1:534099AB1BFC678F1691898AB2D4AC8F037469F3
                          SHA-256:C48FFEC4A1E4CB3E1EEF1227C4CEE60152FEEA61BEEB3D49DBE4174AE18EE9BE
                          SHA-512:3C11996F9B5A4C2CEAC583AFEE8D205F75807D2AA87EB63D7B9EB3B6BDA4DBE7E577BFAC52657E2959EDB3C9CD2F77658692EB55F51891A448437DF41AFFBA46
                          Malicious:false
                          Preview:.......2..........%.............^......ZKM20.0.0E...java/lang/Class.......]...."..`...(J)Ljava/lang/String;..P.........y....r.....start....5...(Lcom/sun/jna/platform/win32/WinDef$HWND;[CI)I..t.7....A.........I....h..c.>.......M.0..c.}......carLambo/p..~.....endsWith..!..........G..Ox.6.....java/lang/StringBuilder...close.... ....J....2...p.......t....F...separator...([C)Ljava/lang/String;....g..u.}....J..a.....(Ljava/io/File;)V......java/lang/InterruptedException................c....u...........java/lang/Object..Z..........([B)V......(Ljava/lang/Object;)Z..s.]...Ljava/util/Random;...java/io/OutputStream....s.............(Ljava/lang/String;)I.......c.<.......%...e...java/lang/Thread....1..&(Ljava/lang/String;Ljava/net/Socket;)V...getName....h..c.0....v..M.....java/io/FileOutputStream...INSTANCE..P.n..R....C(Ljava/util/logging/Level;Ljava/lang/String;Ljava/lang/Throwable;)V...Exceptions..:.\...java/io/FileWriter.....[....c.l...Ljava/io/PrintStream;.... ....9...Code...LcarLambo/p;.

                          C:\jar\carLambo\aa.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):326
                          Entropy (8bit):4.9315446562413054
                          Encrypted:false
                          SSDEEP:6:Hl788MTVkpsIYM5+JmPSRPBu9+tgmbInQF+UklsjHOknMH2lRtqm+XV:FK5It5gmqRZc+tgjQswukMiRtCV
                          MD5:6845B05DD1F7369CA320F6D803E097E1
                          SHA1:ECD21BF7CA62E87737E0FDEBD3921880F47D71A9
                          SHA-256:5B20A537735ABE3625818C1E1A6CCE18FF6F187B7600D9FB3F97205E59976B8D
                          SHA-512:8729219EB9FAFD29FA1EC793BC20512193800948AE7E0CED49F4ECAF60387D70607A9DAB0816708F813BA98110E222506FA3923A2E29CE809A912AD1A56F13EF
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...a...aa.java...carLambo/aa........................SourceFile......()V...java/lang/Runnable...<init>...java/lang/Object................LcarLambo/q;...run........(LcarLambo/q;)V...Code...carLambo/q. ..........................................*.................................*+KL+Y*.....................

                          C:\jar\carLambo\ab.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):6573
                          Entropy (8bit):6.066605437553872
                          Encrypted:false
                          SSDEEP:96:/9Pi++CPngSmPDsElfB4PMg4td7jzm36GjXrMC8IsTbH2SDLEc6E1YQjiP2Y:Ff+igSsgEn4PA7XmjQCk/W456aY
                          MD5:D8111D90D7E57B0A3200811B0DD5C25A
                          SHA1:2233D895D3A4E0BE9220A1B9F92BC71AEE3164F5
                          SHA-256:D8485030868F77CFDB77ADD9154726284488FEBBE3F1D2A51187F96EF80885FD
                          SHA-512:6C33BF182A82EA0C78FC757D7DF3E398A5AFE7BFAE3698E10D186B42B3ED938B856DC77FAB5D67BE8AC11E49609EBAAC5F6DF1028007921FE76DD50C83950B45
                          Malicious:false
                          Preview:.......2....R................W..q......ZKM20.0.0E...(Ljava/lang/CharSequence;)Z..t.....getInputStream...readLine..*...java/lang/ProcessBuilder........Code...charAt....... ...(I)Ljava/lang/String;.........`...."..g.=...java/lang/Process...java/io/OutputStream............'4.sZ'..l..e....:...7.oD.Ic4xM../..[.,.w..v......q?....T.\.(9{...c.myV..........z=^.9...n0(..l.5....a...Z6..?...b.;..@..D..&.i.736!..^.....q......_v5^...E.s...&Tb.....=_..E.yj..0.M\..5......L......^.<./tE.3t.&....;<DK[..m...}./.@.....3y.....*.D+.......iH...V.>X..1..d.JQ.E\..".mp....c..e..G...r....w.....java/lang/String....6............y.....substring.......N....E...ab.java...java/io/IOException...(Ljava/io/InputStream;)V...()Ljava/lang/Process;...()V....A...java/lang/Object...insert../...StackMapTable.....3.I...[Ljava/lang/String;..0.\..{.,..[.....java/lang/StringBuilder..z.'....>...

                          C:\jar\carLambo\ac.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):3267
                          Entropy (8bit):5.677690524705241
                          Encrypted:false
                          SSDEEP:48:DcYwwemv4sxz/JiCJrzbIVbRddGbyW1BK4pEF82g6k7tX+hlZDZTThKY:DhQcGFqlCCEF82g6GtSlZ1TTMY
                          MD5:B3C79C7977A90C47E5B9835628E3D912
                          SHA1:A0934D33B5ADD8308C15175FFD3BD4A3072380D1
                          SHA-256:FBF3DF76057EABF263FB0C4969513717E9FB81A0F333E080BB27618DC2F0535C
                          SHA-512:D34D99510AD55DEBB14815605520E599E364A7CD7CC6152BB5E885E8C433D2AD30322CFE093389AC2F3A6CC6D663DCF3AA6277FB9BB07BED4F82192C65F0C75D
                          Malicious:false
                          Preview:.......2..........F...ZKM20.0.0E..m.M..V........Z...()[B.........y...Ljava/io/InputStream;...getInputStream....h...()[C..x.........R.`..)...trim...carLambo/O...java/lang/Process...[C....^...java/lang/Thread....k...readLine.........P...StackMapTable...equals..............Y......e...insert..5..-(Ljava/lang/String;)Ljava/lang/StringBuilder;...Ljava/net/Socket;...java/lang/System..1.j...Code...getMessage...([C)V...f...()V...toCharArray......java/io/InputStream....W...([BII)V...java/lang/Exception...a..w.....()Ljava/lang/String;...intern....e...<init>...(Ljava/lang/Object;)Z.......'(Ljava/net/Socket;[Ljava/lang/String;)V....B...(Ljava/io/OutputStream;)V........(Z)Ljava/lang/ProcessBuilder;...java/lang/Object..w.Y........|..../....\.......Q.[...d........([BII)I...toString.........8..........{........java/lang/StringBuilder...java/io/BufferedReader..Z.'...Ljava/io/BufferedWriter;....g...append..;.@..i./...java/io/OutputStream..;.r...start.......;.z........(Ljava/io/Writer;)V...(ILjava/lang/St

                          C:\jar\carLambo\ad.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):2254
                          Entropy (8bit):5.502821058784438
                          Encrypted:false
                          SSDEEP:48:+YhlDyhMdhULMqchyhhIOnyHQ+lcva/hcBmscR/hQwUAC6:MM0rnyHQycMdhQwUa
                          MD5:3957575ACDC3BBC00D9B688CB995794F
                          SHA1:E48C8D605A7567A083D6F29C4FA87071FA028A0D
                          SHA-256:9A11C1C97EDAE9B97AD80146D0EE61A160343418DA71C1C6062815550E126449
                          SHA-512:DA9566B07593C9BE80037DE0EACC43679E4AB7DA3B6A5F563C56226BA98690DDE3DB14E1C155C01862972D99DDFD3340F9DD2D9A6D9CA7BF0589BE7E570CC14E
                          Malicious:false
                          Preview:.......2....Z.....K..}...ZKM20.0.0E..@....G.....a....p....e...java/io/File...StackMapTable...()I...m...p...()Ljava/lang/String;...Ljava/net/Socket;...(I)C....r..v.z...Code..@.o...carLambo/y..n.....k...ad.java..f.....f..1,..jP0..u).d6..gd.ZgYF.,..jP0..u).d6..g.^&s..q_A%...i..\.2..!....X.....@.9..f.k..i.W...e..@.x...carLambo/ad...separator..j.5....p...(ILjava/lang/String;)Ljava/lang/StringBuilder;..f....@.T...intern...b..j.....I...toCharArray...h...([C)V...length..t.M.. (LcarLambo/b;)Ljava/lang/String;....p..@.a..l..).p...substring....p..0.p..(...J..@.C..O.2...()[C..A.m......append...java/lang/StringBuilder..F.<...<clinit>...i.C+8Ei.^&s..q_A%...[C..~.m...q...n..i.1..@.?..=.s...Ljava/io/OutputStream;..N.2...Ljava/util/Random;..L..q.,...carLambo/i...g.....@.....d...Ljava/io/InputStream;..i....@.....r..Y.p..i....f.R..&.p..&(Ljava/lang/String;)Ljava/lang/String;..g...java/lang/String...LcarLambo/p;..H...<init>..3.D...[Ljava/lang/String;...LcarLambo/b;...charAt..w.p...Ljava/lang/String;...ins

                          C:\jar\carLambo\ae.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):5795
                          Entropy (8bit):5.893522231648724
                          Encrypted:false
                          SSDEEP:96:0NF4RW3lgkCz0ThpLhZUvnra3bV9GD9UwDZV2csIIfaoHVXYyMpP/:0Y0gkCQTTFZwnrM9SDZV2NIaXSpP/
                          MD5:657F41EAE32D0D996C23CE7F5F0270DE
                          SHA1:0425CC93D398C150401A43A05431FB1B6FE36959
                          SHA-256:61F61BFED7A18475FDD48F37AE80B28D33D9410271B8526A6914564F8FDFBF66
                          SHA-512:963C44B604956B16DB67BBCEECB0D989FF0191D2966744174017D544FE30E704B5356F460442BC5235E2B68E5FBCDCA8C8D0AE094A46124A36FF5717F2138261
                          Malicious:false
                          Preview:.......2....?..0..J...........ZKM20.0.0E...redirectErrorStream..-(Ljava/lang/String;)Ljava/lang/StringBuilder;...Ljava/lang/String;...trim..&(Ljava/lang/String;)Ljava/lang/String;...java/io/InputStreamReader..`.-..!...[Ljava/lang/String;..i.3..>.(......()I..w.T..$.A...StackMapTable..w./..r.}..D.j...(Ljava/lang/String;)Z...b..t.C..|.A....K...toString..1...java/lang/ProcessBuilder..p.b..t.k..\........()[C..t.W...(Ljava/lang/Object;)Z...split..P.....Code...carLambo/j..G....`.:..i.....:...java/io/BufferedReader...<clinit>...(II)Ljava/lang/String;...toCharArray...charAt...java/lang/StringBuilder.. .{..`.e..'(Ljava/lang/String;)[Ljava/lang/String;..h.....readLine...printStackTrace..V...equals......[.w.......k.....w...WY.o...[...>!....O.{..>.._.9..j...vm.r.3oS...w..j.#..Qg.n.c...GH.!"e.......Km.....java/io/IOException..t.Q...()Ljava/lang/Process;...([Ljava/lang/String;)V...getInputStream..5.v..;.....startsWith..|.*..]..2..1.S.......

                          C:\jar\carLambo\af.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):6173
                          Entropy (8bit):5.986695907459997
                          Encrypted:false
                          SSDEEP:192:lY13Gw2Ont/cley5k4as4wqGFdCZYO1s+1kkkN628:lYmKt/afas4wqGiZho8
                          MD5:7131CDDD0AEA4DA0900463705E439CA2
                          SHA1:E8655D4E2C8BA1E71AC73E95B137F76FE8B997FC
                          SHA-256:5D22D30D2A1F2B0E18680398C6A75592849DB6E35CC23E7E548E1AE037316AC0
                          SHA-512:774795134AA6D152FB8F2C47ADCEB6FEBC7C9D0F67123208338E361BB25739791FCF7187B472E8063B6BFF2FAEDA3B2CBCB771173737D10EC1103CBCBE0A3496
                          Malicious:false
                          Preview:.......2.}.......A..r...ZKM20.0.0E..y.Q....5..f.....getAbsolutePath...SourceFile.. .x...toString...([C)V..{.@..z._...(LcarLambo/af;)V...carLambo/Y..S.v..&(Ljava/lang/String;)Ljava/lang/String;..y.M..z.)...[C...I..\........af.java...(Ljava/lang/String;)V..n.U...(ILjava/lang/String;)Ljava/lang/StringBuilder;...carLambo/i.. .*..f.+..3..m.... .....b...StackMapTable..e...()[C...Exceptions...java/io/File..L.F....5...([Ljava/lang/String;)V..z....k.b..f.C..y.c...length...(Ljava/io/File;Ljava/io/File;)V..m.....java/lang/StringBuilder...carLambo/y...()Ljava/lang/String;..Z.8..-(Ljava/lang/String;)Ljava/lang/StringBuilder;...(I)C...()I...intern..y.E..R...()[Ljava/io/File;..Y..0.9...()Z.....i.K..Q....w..Q.........9;..'x.X..S.N.zp..# B~..-.......!G..~#.4......5.=N6....T.c$.......#D^.uv.6._&..J....Y2.=..5..`....E 9/.....YRd{..+.!....S..Vv.........7.p.....G.n....r..........v..B.t.v.2.....d....O..

                          C:\jar\carLambo\ag.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):453
                          Entropy (8bit):5.143309415203144
                          Encrypted:false
                          SSDEEP:12:H7zkceRQWhptRylwux4kVRWz2FVbDZGcmC/nCewm:+ucwlB+V2DsInsm
                          MD5:8AA132A2BF1E367A8746A02B0CA122A4
                          SHA1:AB52358DDBEA707569897A396B444CFD2414E3F7
                          SHA-256:6369F99D81B9C18A95BF55FCA06D7FDC3DB555707A8F0025DE1B973462F6478F
                          SHA-512:6320B887A709F8D967E152628B005DFD6725387C4B3F312DDBAFF69CCDEDE42CEC92CEFB04070849E5EC10F07A5097B620137032786030AB29CDC0E8D4AB3458
                          Malicious:false
                          Preview:.......2.!...ZKM20.0.0E...b.......................ag.java...LcarLambo/T;...Ljava/net/Socket;...java/lang/Object..,(LcarLambo/N;Ljava/net/Socket;LcarLambo/T;)V...<init>...c...carLambo/N...a...java/lang/Runnable.............()V......SourceFile....... ...run........Code.............carLambo/ag.........LcarLambo/N;. ............................... .................$........*-KN*-Z[,-+.......................................*Y..._...*.....................

                          C:\jar\carLambo\ah.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):275
                          Entropy (8bit):4.922260410347631
                          Encrypted:false
                          SSDEEP:6:7/nTzfhzC8Ov1wFXM0iY2vD35lXmPSzXMWRPPOkff0VQ:7Lg4MRTrmq7MWR3jr
                          MD5:9F5E03107588AAC129682BF4F4F629E3
                          SHA1:F4B9D994441D0AA338463B7317692DB2AA8E13B5
                          SHA-256:46A9DB34C087A65D14F0725531707D33D0D8F3D1D4A3D5495693D735EBA73E58
                          SHA-512:4006AF2D3E6DFA652530B2EA7E2F409BD36BD9C2C76B12C061A62A0C3085ECBF654BD6AB5E3DBBA5FA43195617694F3D8E043CB5DC8F14779BAB367502067DC7
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...SourceFile........Code......LcarLambo/ai;...carLambo/ah........[Ljava/lang/String;......()V........a...ah.java........b......<init>...java/lang/String...java/lang/Object. .................................................*Z.......YX..................

                          C:\jar\carLambo\ai.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):5448
                          Entropy (8bit):5.7222365618877875
                          Encrypted:false
                          SSDEEP:96:QN8B64alQSBkttttttDrEb1gBlGNm9DdC0mJN5jfTjg1vjetXs32w:QNk6jhBkttttttDo50lFCXN5j4MtW2w
                          MD5:6BB2819BC781018CE351B5AD3E43E8EF
                          SHA1:8063EB8193FCA80257C644587999509296ED1481
                          SHA-256:770023FF56B622F7505116FA87260338ACEEC2BFCD494AE5DE8E4136B982DD22
                          SHA-512:1325CC4BCA855FEB8B6A5FF389367DAE21D322E6EAD613A11A5C66CF9B2400AE9EA4C09CA26F9DD732CEF670AA319997C9429F28DD3699E5D24C61A01687E357
                          Malicious:false
                          Preview:.......2....W........ZKM20.0.0E..r.....A...a...(Ljava/io/File;)V...Ljava/io/File;..d.e..-...getChannel...StackMapTable........java/io/File....T..!()Ljava/nio/channels/FileChannel;....t..".4..S.4..]..|.#...separator...java/io/FileOutputStream..;.c..l.z..}.1....x...charAt..).I..@.D...()I..../...f..@.z..`.....Ljava/nio/channels/FileLock;...substring....K....6.....`..........length...carLambo/i..@.=..2.s...java/nio/channels/FileChannel..&(Ljava/lang/String;)Ljava/lang/String;...insert..`.M...()Ljava/lang/String;..~.....(I)C...java/lang/StringBuilder...Ljava/lang/String;........carLambo/ai...b...LcarLambo/af;...(Ljava/lang/String;)V.........n...<init>...java/lang/Exception...carLambo/U..`.....([C)V....N........close...[C....8....<...()Ljava/nio/channels/FileLock;...[Ljava/lang/String;..;.z....=..~.g....M...ai.java..u.J...toString...(II)Ljava/lang/String;...SourceFile....n...T...(..`.....PB=..8...<clinit>......java/lang/Object...Exceptions...intern...carLambo/y..~.....Code..:..`....o.

                          C:\jar\carLambo\aj.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):396
                          Entropy (8bit):4.992247697151235
                          Encrypted:false
                          SSDEEP:12:HR5hiYppQRaK5lw/1/+ik8J5l40VepOloz1NW78:rhiYpGoQlkHR/kKuy8
                          MD5:2D4B3C9DD3DCBFA4EF3AF811B1B47E8F
                          SHA1:E4083D0532C92057B483C5F77BC744D7E02C3BF4
                          SHA-256:F50548CD6DDE80439C169DE23DA3106172612429D25DB7A779B38AA39AF99755
                          SHA-512:08906D5FEABA627782B5D220C9CD620555067232B6B3246AA9C94A1D8482AEBE68A8C4C1EF261690DDA8C0D53FAC65265A07746626601DF217C7E8307BA72661
                          Malicious:false
                          Preview:.......2.!...ZKM20.0.0E........carLambo/aj...aj.java...Code........java/lang/Object...()V...carLambo/E...run...java/lang/Runnable.............sleep............(Z)Z...java/lang/Exception...........(J)V......java/lang/Thread...StackMapTable...<init>...........a...SourceFile.......u0.0..................................*........................................W.W.....................L.............

                          C:\jar\carLambo\ak.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):482
                          Entropy (8bit):5.369008069744111
                          Encrypted:false
                          SSDEEP:12:Jj2FWDzkoWSRAf18QoUrvkukxHi0qj6+uPFX7b5:l2F0zJWSO8OkFEjIPFXv5
                          MD5:C9C385EA7350E0B04C6FE4D9301D8484
                          SHA1:6E308A075577B495491DA4EB180D7D098AA7C60E
                          SHA-256:34D8048340D71008BAD667FD606BD440001DB1F61F9237FDD7F888E595178822
                          SHA-512:B6C55649A6EA11EAC8A0A4A4C79841E4EBC60C7F582903C2A2CB76705597C5C6C65AB7FE5117BD3F21C28D3C8E5DEB97D5BE48B6FDCF164105D21A176F0A5D06
                          Malicious:false
                          Preview:.......2.&...ZKM20.0.0E...java/lang/NoSuchFieldError...carLambo/ak.......#...ALLATORIxDEMO...carLambo/b.. ..........<clinit>........Code...StackMapTable.. .....java/lang/Object...()I......[I....... ......#...m...()V....#...()[LcarLambo/b;...J.. .....SourceFile..$.....values...a..... ........LcarLambo/b;...ordinal...ak.java. ..."...........................r.......8..!....YX.............O...K..........O...K..........O.K..............&.)...*.5.6............Z....M....K............%

                          C:\jar\carLambo\al.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):540
                          Entropy (8bit):5.173056195842075
                          Encrypted:false
                          SSDEEP:12:L3tl9a+wEcXIlUmL+phk8jtqR/RucOLya0kDqlk9vlobXK:L3tlUWmIlUmL+DnjsR/YcO4cqlk99gXK
                          MD5:B9AD3509BF5AF35233E2FE0850CA373D
                          SHA1:D8B968B48787F58BFE1A886DFAACFCD1EC3A7AF3
                          SHA-256:83A2FAF9368D14FA82C84730A069EE3A354A0FFC5EF7EC898141343DFF74A322
                          SHA-512:4B43D3ACBCC32743C0EB9E2A337DBE065BEAF2EFB543610EF4D01275E592062149B653FA47E6F64C46F31642DFFBB47651C637B5A9A20599263D609DDF57E726
                          Malicious:false
                          Preview:.......2.3...ZKM20.0.0E.......0............carLambo/y...carLambo/z........Z.......$.....carLambo/ad...java/lang/Thread......carLambo/i...."...f../.....SourceFile...carLambo/al...java/lang/Runnable..*.&..#.....Code........g...java/lang/Exception...(J)V.....+.....StackMapTable...run..,.....<init>...a..............al.java..*........c...sleep........()V...d...java/lang/Object..........0.'.............!.........X.......&...<........)..-...W..1......W................%.......%... ..........N..%.H..%....#..................*.................(

                          C:\jar\carLambo\am.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):8523
                          Entropy (8bit):6.075649020234199
                          Encrypted:false
                          SSDEEP:192:d/97i3oTz6yeY+0cHkZKHLBNWDeKTJqxRqQfPTr7Z:37woTzSzrBNdKd3QfPTp
                          MD5:35BBB071DDA6DDECD7E0D51D9DD391E9
                          SHA1:394C92D174DF52240C66E626E0DB2712A1400521
                          SHA-256:4AFD7D1AB7C0B9CF8A45134C035ACB01F0A4C644BBE0BF1E25288BA67A94C099
                          SHA-512:5209F8F1E8339242E5FBF7BBEA8D3D9AFCE5CC1FBEC2C4B72439E69BFE255A553550E959E70E2BFF3D6B952C92CD908AA5B63A6E6DC1A3527F3D6E3475E3EEDF
                          Malicious:false
                          Preview:.......2..................[..........}..r...ZKM20.0.0E....:........x..>.*..$(Ljava/util/Set;Ljava/lang/String;)Z...d..7......................s..L.+..>.w...am.java..P.6..>....q.........L.b...C......T+...contains..L......n...java/lang/String....y..,...[Ljava/lang/Object;...insert...([C)V...size...([B)[B..V.....[C....b..D(Ljava/lang/CharSequence;Ljava/lang/CharSequence;)Ljava/lang/String;...next...toCharArray...Z...(Ljava/lang/Object;)Z...get...carLambo/am...()Ljava/util/Set;..O(Lcom/sun/jna/platform/win32/WinReg$HKEY;Ljava/lang/String;)Ljava/util/TreeMap;..4.......!com/sun/jna/platform/win32/WinReg....5....(.......o...a..w....N..L.d..7.....()Ljava/lang/String;...[B....a..&(ILjava/lang/String;I)Ljava/util/List;...replace...(I)C...([B)V....K..Q.......&..O.....substring...registryGetValues...getBytes...()[C........iterator...Signature...append...Code....1...java/util/ArrayList...SourceFile...q...<clinit>...java/util/Set..&(Ljava/lang/Object;)Ljava/lang/Object;............I.........C...

                          C:\jar\carLambo\an.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):330
                          Entropy (8bit):4.925461832551757
                          Encrypted:false
                          SSDEEP:6:0lAYHvA+DcWAsIpGV/6+XFRq4qYlQlloWSRPPsT+OoVitqm4WiZknVl/kn:UTvhGpGN68LqaulSWSR3a+F8twZkkn
                          MD5:6FB0577964A7400923536D35045D775B
                          SHA1:F25C098E4EDD0C2D748EC040144D74122BCE1DEE
                          SHA-256:97C95059FD5C4591CCF5CA91030814F37F1843A4D97F2C6B0A77765F2D0F459F
                          SHA-512:0D50694736A62B6FA682807230E83C0C600280D89C2AA1EE71CBF437E5F10034B8DA0F0BCD61A5FC6EAFDF27184D38D4899895845FF17E6156A42BA2E8F63CFF
                          Malicious:false
                          Preview:.......2.....ZKM20.0.0E...()V........LcarLambo/H;...an.java.........run...a...b...<init>...(LcarLambo/H;)V...carLambo/an........SourceFile...java/lang/Runnable...Code...carLambo/H.............................java/lang/Object. ..........................................*+KL+Y*.................................*.....................

                          C:\jar\carLambo\ao.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):7610
                          Entropy (8bit):6.003039906018583
                          Encrypted:false
                          SSDEEP:96:VyB7iuTJsRluwfG6LXdwJu/cqxJlvpjiKpzutL1qUvOKI6oe/tvKSBhqVB80nahC:swcxPrEatvKsu2VUPNtBreTU
                          MD5:4CC6AB8D467B10996CA9E2BDE8BEDB91
                          SHA1:77026A186861F42ED6FE0B5DA0F18BC63C40A17D
                          SHA-256:A2903DBB78183531085FCBD26EE5B32B6BE4D05102A86AF00A1267592750B509
                          SHA-512:774E498E02924B8066DF805E639CEEB3DC72EC69D968D220E5D946B1B6A568521E205E366398E4F1F748F25BE23F501B1ED04763B654086E1D17AD01A1BBFE17
                          Malicious:false
                          Preview:.......2.a.....T........ZKM20.0.0E.....".*...[Ljava/lang/String;..F./...()Ljava/lang/String;.......F.H...[C......carLambo/E...getVirtualKeyCode........c...()C..7.....keyReleased...getKeyChar..8...toCharArray...substring...()I...java/lang/String...()[C...(C)Ljava/lang/String;..&(Ljava/lang/String;)Ljava/lang/String;..Z.M..6.-...()V...(I)C..?...<clinit>..=.....carLambo/ao...(II)Ljava/lang/String;..Z.....Code...b.._. ..6.O....&..=.^.....y2.t....Xt..........isControlPressed..0.:..6.........@..0(Llc/kra/system/keyboard/event/GlobalKeyEvent;)V..%...valueOf...carLambo/i..=.&...()Z..Z.U..Z.>...a..C....-lc/kra/system/keyboard/event/GlobalKeyAdapter...(Ljava/lang/String;)V...SourceFile..].$...intern...charAt...keyPressed..N..W.:.......Z....Z.V...length...([C)V..K....+lc/kra/system/keyboard/event/GlobalKeyEvent..)....F.G...ao.java..F.1..Z.,..y....x..........,..,T....l...Sp...x....5......B....H&...E.8...@:...Y'.Z.(1.......w...hF..._.T0.q.H&N..^..

                          C:\jar\carLambo\ap.class

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                          Category:dropped
                          Size (bytes):26454
                          Entropy (8bit):6.662854220501369
                          Encrypted:false
                          SSDEEP:768:IW6OAMjTWRHyt6qC4TEVTO7X1PRe8371L:IW6OBT8SHC4TERORZPt
                          MD5:FAD91F8730E6C30159B46A9223B4ADC8
                          SHA1:2E4433566ECA9A750024C63294EAD56D552A0694
                          SHA-256:9C8695CFFDC3A9A53FB48B371A39E14ED4FCBD8FA910224F48AB5AA3B201E9E4
                          SHA-512:9C113C7131AF752375AB1E8C768270567C48409BD356666512266B055353841AE6DEDD00195ABD4DE4E061CCE062683FE22610D8F35BCC804505FB74B2EA752F
                          Malicious:false
                          Preview:.......2.4......../...........0..8..z....a..|.....*..b.....U..9........ZKM20.0.0E...getInstance...java/lang/Character...java/lang/Integer.............(I)V.......j.... .,...(Ljava/lang/Object;)Z........(Ljava/lang/String;I)V.....$java/io/UnsupportedEncodingException...d..K.S........update..Z......r...size..+.....B...substring...java/lang/Class..7.2...<init>...UTF-8...(I)C..n....%(Ljava/lang/String;)Ljava/lang/Class;........writer..w......#...forName...SHA-512.......()V...l.......\...getBytes..<..........lastIndexOf.......1(Ljava/lang/String;)Ljava/security/MessageDigest;..Q..>......X.................R.....g....-...add........c......[Ljava/lang/Class;..}..(Ljava/util/concurrent/ConcurrentHashMap;......Z...x...digest..&(Ljava/lang/Object;)Ljava/lang/Object;..c............Q(Ljava/lang/Class;Ljava/util/ArrayList;Ljava/util/concurrent/ConcurrentHashMap;)V..!..Z.L....B.........Y...[...indexOf..7(Ljava/lang/Class;Ljava/lang/String;)Ljava/lang/String;....5....(.............java/lang/Boolean...a

                          C:\jar\carLambo\resources\config.txt

                          Download File
                          Process:C:\Windows\System32\7za.exe
                          File Type:ASCII text, with no line terminators
                          Category:dropped
                          Size (bytes):220
                          Entropy (8bit):5.79531731715205
                          Encrypted:false
                          SSDEEP:6:c9gtVTA1yFwSkEgcWDFXdP+9W916SZANWGn:cKt59FwSkHnDFo0S5
                          MD5:713F88E2F50290748ADFAA27CC386978
                          SHA1:E4516FD8B2F1BBD095D611A2EB7E3802F1CB04B9
                          SHA-256:A6D871A14253D6CD972C1125F3266B473B588BFEA48DB7C929DF5A342B5C1ECD
                          SHA-512:CDE63624065F9F075D76BE238110D2B74712E2959691087A7D2F4C927CBD3A43ECB2863FE4F12AECAF0FD76DFD0F51B3775C4A0480FE7F4D43D13D1C2293BABD
                          Malicious:false
                          Preview:AAAAENM+xOAKIZY4EDTPvqO/C+iMORWp6evDbNrLPcxHUK3iLmY045vIqub/ZwDFHULULyPb5PBE+7S3iAd41HoYQotzjsMFomsVp1SSTqFDcDtfiRJ21OWfpJ5QUOslfMX5+o/lnLCp55V3AXy0r36TCS2cX0M8KPkqwcN6+MZkbITTO9p95e1q1nWJUKGM7RNEktFgr4ZlUHIH0UUw3nHH3Hk=

                          Static File Info

                          General

                          File type:Zip archive data, at least v2.0 to extract, compression method=deflate
                          Entropy (8bit):7.967562545395499
                          TrID:
                          • Java Archive (13504/1) 62.80%
                          • ZIP compressed archive (8000/1) 37.20%
                          File name:EQUIPTMENT_ORDER.jar
                          File size:213'981 bytes
                          MD5:b42ff7e68ccb74b444fd8d30636466cf
                          SHA1:854601f3529fed533b297b4904c67938152563b1
                          SHA256:eb8ff032ecdacae049aa7edcb3c76e2b3274e7b01dd19aacbd71cfb96f8c9529
                          SHA512:cda474d9172d10bdab1cc096284f67bb69fd78d009b05f0cff05398d161bf0790f56d9ec2dbb2a1025276c0590ef964e578bb8917b01632077c56313c4a3fafe
                          SSDEEP:3072:ErTEPKiBNElVUyG+sJOAqVy3qz88pPCGxfSs0jBHeVJCkuWEzPeiipBfN5X:E/MB0muAqChips7+VJCTWicBl9
                          TLSH:5624F1BE3D9AC0FAD00BC6765204C63F691D4383C198E11B2AFC255A1D38D669E16EDF
                          File Content Preview:PK...........X................META-INF/MANIFEST.MF..AK.0......9.ab.Z\{[...+".7.4Y..&5I..{.^tED.....cfZrf.c.g.....R..m.7e3Q.k.Z6..%gM......3.....*Q.k8.........J.p...b..J}.......G....sQ...A..a...H.,...#V......I..%..)/.J...e................S.-...3..X.R.)....

                          File Icon

                          Icon Hash:d08c8e8ea2868a54

                          Network Behavior

                          No network behavior found

                          Statistics

                          CPU Usage

                          Click to jump to process

                          Memory Usage

                          Click to jump to process

                          High Level Behavior Distribution

                          Click to dive into process behavior distribution

                          Behavior

                          Click to jump to process

                          System Behavior

                          General

                          Target ID:0
                          Start time:06:51:52
                          Start date:24/04/2024
                          Path:C:\Windows\System32\7za.exe
                          Wow64 process (32bit):true
                          Commandline:7za.exe x -y -oC:\jar "C:\Users\user\Desktop\EQUIPTMENT_ORDER.jar"
                          Imagebase:0x70000
                          File size:289'792 bytes
                          MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:1
                          Start time:06:51:52
                          Start date:24/04/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:false
                          Has administrator privileges:false
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:3
                          Start time:06:51:53
                          Start date:24/04/2024
                          Path:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_749031\java.exe
                          Wow64 process (32bit):true
                          Commandline:java.exe -jar "C:\Users\user\Desktop\EQUIPTMENT_ORDER.jar" carLambo.FirstRun
                          Imagebase:0x780000
                          File size:257'664 bytes
                          MD5 hash:9DAA53BAB2ECB33DC0D9CA51552701FA
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Yara matches:
                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000003.00000002.3259064720.0000000009F92000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: INDICATOR_JAVA_Packed_Allatori, Description: Detects files packed with Allatori Java Obfuscator, Source: 00000003.00000002.3259064720.0000000009F61000.00000004.00000800.00020000.00000000.sdmp, Author: ditekSHen
                          • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000003.00000002.3259064720.0000000009F67000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000003.00000002.3258479899.0000000004DCB000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                          Reputation:moderate
                          Has exited:false

                          General

                          Target ID:4
                          Start time:06:51:53
                          Start date:24/04/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:false

                          General

                          Target ID:5
                          Start time:06:51:54
                          Start date:24/04/2024
                          Path:C:\Windows\SysWOW64\icacls.exe
                          Wow64 process (32bit):true
                          Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                          Imagebase:0x3d0000
                          File size:29'696 bytes
                          MD5 hash:2E49585E4E08565F52090B144062F97E
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          General

                          Target ID:6
                          Start time:06:51:54
                          Start date:24/04/2024
                          Path:C:\Windows\System32\conhost.exe
                          Wow64 process (32bit):false
                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                          Imagebase:0x7ff6d64d0000
                          File size:862'208 bytes
                          MD5 hash:0D698AF330FD17BEE3BF90011D49251D
                          Has elevated privileges:true
                          Has administrator privileges:true
                          Programmed in:C, C++ or other language
                          Reputation:high
                          Has exited:true

                          Disassembly

                          Reset < >

                            Executed Functions

                            Function 028DD9A5 Relevance: .2, Instructions: 199COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: d590de6714355ac13bcc56a22583c1229bb356ece7eba8a831e32cea5604a4e1
                            • Instruction ID: d4a4fabf5a614e14ad19821b9fa2fdfd2d66827d9d293db68a8a30a7f0171ca7
                            • Opcode Fuzzy Hash: d590de6714355ac13bcc56a22583c1229bb356ece7eba8a831e32cea5604a4e1
                            • Instruction Fuzzy Hash: 3581AD7EA04601DFDB18CF64C494BA9FBB1FF49318F08859DC91A8B381DB34A859CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028D0672 Relevance: .1, Instructions: 57COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d0000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 7c1779f58beddc2b5dbef833710b69a47c3f49e14b504408dac6b4532710a675
                            • Instruction ID: 4d187c5d788e0b7320b68a0a1b1c4072569e20aab1f431ff60f4594f17f8d954
                            • Opcode Fuzzy Hash: 7c1779f58beddc2b5dbef833710b69a47c3f49e14b504408dac6b4532710a675
                            • Instruction Fuzzy Hash: A01137BE90022A9FCB14DF48C8854ADB7B0FB98318F568529ED69E7342D7346924CB91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028D0722 Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d0000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 35d8abcfae0e3211ea4a7a7f1789ec2d47ea60c4dc774f4aa5cf5a26b16d1216
                            • Instruction ID: 35ce1380fc0fca818f51126fafa6238c484f1b38509929e9c048877f88d23b39
                            • Opcode Fuzzy Hash: 35d8abcfae0e3211ea4a7a7f1789ec2d47ea60c4dc774f4aa5cf5a26b16d1216
                            • Instruction Fuzzy Hash: C9F0927EC002299B8B149F88C4411ADB7B1AB45318F2A8496DC6DBB641D332AD66CF91
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028E4CCD Relevance: .0, Instructions: 22COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 21e4afecbf12ac8af298fbfc3934a33f63e900a780efb518408d959f3e9663d9
                            • Instruction ID: c4e25898b0f0c64302699d62c07fa5ca31f97365ffdf317ee68ad9519e64836f
                            • Opcode Fuzzy Hash: 21e4afecbf12ac8af298fbfc3934a33f63e900a780efb518408d959f3e9663d9
                            • Instruction Fuzzy Hash: E9F0BCB9A00A06EBEB158F20C1047EAF7B4BB88708F04420AD42C57310C378B469CBD0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028E4B78 Relevance: .0, Instructions: 21COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 533e4cf1126fe1f883bd44a3bd0ca0da0be70954d962642a41996b39d2db7a28
                            • Instruction ID: a8d5bce2843c8743167c0bd769eb69ba62ef598b61def61fee2466dd5b07330b
                            • Opcode Fuzzy Hash: 533e4cf1126fe1f883bd44a3bd0ca0da0be70954d962642a41996b39d2db7a28
                            • Instruction Fuzzy Hash: 44F07FB9A04A06EBDB158F61C1047DAFBB4BB88718F14421AD42C67350D778B4698BC0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028E5346 Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 053a8cebdd36d540be234595e622ad832dcc7145266a718e0c9e0e80618a0e5c
                            • Instruction ID: e13aadc6af757aaa2da514201db898771c7d58331ee1e901ef9e083620b790c1
                            • Opcode Fuzzy Hash: 053a8cebdd36d540be234595e622ad832dcc7145266a718e0c9e0e80618a0e5c
                            • Instruction Fuzzy Hash: 6EF09BBAA04B06EBDB25CF61C1047DAFBB4BB48718F15421AC42CA7350C778B469CBC0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028DEC1C Relevance: .0, Instructions: 20COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 16e3bea6021d9df9229c4342b190de25a73891cbf628c1f3cbfd09846b44d117
                            • Instruction ID: 818b76a852a6374505fd1b2d9388bcdce5cce0ba02cdfba624d96d79267205ab
                            • Opcode Fuzzy Hash: 16e3bea6021d9df9229c4342b190de25a73891cbf628c1f3cbfd09846b44d117
                            • Instruction Fuzzy Hash: 44F092B9A04B06EBDB15CF61C1047DAFBB4BB88718F14421AC42C67750D779B469CBC0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028DDA35 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 963257b60f15c42451389d03b56ad42b4461364b1d27267a1571a49a8369688b
                            • Instruction ID: 23f4baad50e44d6f15a3763943a761ac21b05a388731984379adec698739b0ff
                            • Opcode Fuzzy Hash: 963257b60f15c42451389d03b56ad42b4461364b1d27267a1571a49a8369688b
                            • Instruction Fuzzy Hash: 1AF0C2BAD00A06ABDB248F61D1047DAFBB4BB44714F14421AC42C67350D378B469CBC0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028E49AA Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 68d511ad7137964c36060adbca22ac9975c7553d0ba3440b8762d5cedd091429
                            • Instruction ID: cb138b8df5d676c59ef85a9be91324b52fa22f31ecace73e5c91913931796fc1
                            • Opcode Fuzzy Hash: 68d511ad7137964c36060adbca22ac9975c7553d0ba3440b8762d5cedd091429
                            • Instruction Fuzzy Hash: 7DF0C2BAD00A06ABDB248F61C1047CAFBB4BB48718F14421AC42C67310D378B469CBD0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028DB4F5 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 924917365c5fbcbeec5b7649be63421c8d393c6dcbb732af535f16e77cae482a
                            • Instruction ID: 95c4d8c3a17e8d0deacce34b2292cc470b7d7a309138dd3f36bd43b99c2baa66
                            • Opcode Fuzzy Hash: 924917365c5fbcbeec5b7649be63421c8d393c6dcbb732af535f16e77cae482a
                            • Instruction Fuzzy Hash: 23F0C2BAD00A06ABDB248F61C1047CAFBB4BB44714F14421AC42C67710C778B469CBC0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028E3C76 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 4add9f4d06d03af99bf0ca5dddaec4590167d055f3c4858b2f064e109ccd8d8b
                            • Instruction ID: 8d26fcc43ba0fb807e6acc6f3442563a3c53ae9dc4ba720339eead3d68362cc4
                            • Opcode Fuzzy Hash: 4add9f4d06d03af99bf0ca5dddaec4590167d055f3c4858b2f064e109ccd8d8b
                            • Instruction Fuzzy Hash: 3FF0C2BAD00A06ABDB248F65D1047CAFBB4BB44714F14421AC42C67310D378B469CBC0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028E45E9 Relevance: .0, Instructions: 18COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 5106ce0521ff5de759529568293ac8db95038aeae20c645ed1e6910af3f7ebaa
                            • Instruction ID: e411dd7d78fe87f732bc4568274bfc913259ac12b943828405d6caeb93c94805
                            • Opcode Fuzzy Hash: 5106ce0521ff5de759529568293ac8db95038aeae20c645ed1e6910af3f7ebaa
                            • Instruction Fuzzy Hash: 7BF0C2BAD00A06ABDB248F61D1047CAFBB4BB44714F14421AC52C67310D378B469CBC0
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Function 028E4EF4 Relevance: .0, Instructions: 17COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D2000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D2000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d2000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: 2ad2094684e8b610acef096c8e32b58169ec9140a770efb9cd5049ce70a8b88c
                            • Instruction ID: fbd7bee1f6a8faa2a31fd56e446fc414205bd75db628461d77b44c3d38cf95d8
                            • Opcode Fuzzy Hash: 2ad2094684e8b610acef096c8e32b58169ec9140a770efb9cd5049ce70a8b88c
                            • Instruction Fuzzy Hash: E7F052B9D00A16EBDB24CF61D10479AF7B4BB44B18F15421AC52C67750D778B469CBC1
                            Uniqueness

                            Uniqueness Score: -1.00%

                            Non-executed Functions

                            Function 028D03C0 Relevance: .1, Instructions: 70COMMON
                            Download Yara Rule
                            Memory Dump Source
                            • Source File: 00000003.00000002.3258261479.00000000028D0000.00000040.00000800.00020000.00000000.sdmp, Offset: 028D0000, based on PE: false
                            Joe Sandbox IDA Plugin
                            • Snapshot File: hcaresult_3_2_28d0000_java.jbxd
                            Similarity
                            • API ID:
                            • String ID:
                            • API String ID:
                            • Opcode ID: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
                            • Instruction ID: d7ece3fd3c33682d6e708256a3c92a773b53d3275d1c474fca985bdbd456db38
                            • Opcode Fuzzy Hash: a012a9fb5cf5d9e1554885d89a3030425dd9bcc3e3bcfa4e280c99466c7885fc
                            • Instruction Fuzzy Hash: 0721F9BA5042568FDB358F198C407D9B7E5FB58314F21882EDECDE7710D3306A898B51
                            Uniqueness

                            Uniqueness Score: -1.00%