Edit tour

Windows Analysis Report
JavaSDK.exe

Overview

General Information

Sample name:	JavaSDK.exe
Analysis ID:	1522551
MD5:	323d61aee8261168106aa20ee6dc3272
SHA1:	5d6f81ce2d5465bdebac95af1c27bc4b5d6e193f
SHA256:	318647f8d8fa142ee1df6c8d8aa440688ce2c82cad3cc4341a2c3869d88d9740
Tags:	exeuser-Pavel228
Infos:

Detection

ZTrat

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus / Scanner detection for submitted sample

Antivirus detection for dropped file

Found malware configuration

Multi AV Scanner detection for domain / URL

Multi AV Scanner detection for dropped file

Multi AV Scanner detection for submitted file

Yara detected ZTrat

.NET source code contains potential unpacker

AI detected suspicious sample

C2 URLs / IPs found in malware configuration

Machine Learning detection for dropped file

Machine Learning detection for sample

Modifies the windows firewall

Uses netsh to modify the Windows network and firewall settings

Uses schtasks.exe or at.exe to add and modify task schedules

AV process strings found (often used to terminate AV products)

Abnormal high CPU Usage

Allocates memory with a write watch (potentially for evading sandboxes)

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Creates a start menu entry (Start Menu\Programs\Startup)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

HTTP GET or POST without a user agent

IP address seen in connection with other malware

Internet Provider seen in connection with other malware

May check the online IP address of the machine

May sleep (evasive loops) to hinder dynamic analysis

Queries the volume information (name, serial number etc) of a device

Sample execution stops while process was sleeping (likely an evasion)

Sample file is different than original file name gathered from version info

Sigma detected: CurrentVersion Autorun Keys Modification

Sigma detected: Startup Folder File Write

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Stores files to the Windows start menu directory

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Process Tree

System is w10x64

JavaSDK.exe (PID: 4760 cmdline: "C:\Users\user\Desktop\JavaSDK.exe" MD5: 323D61AEE8261168106AA20EE6DC3272)

netsh.exe (PID: 4304 cmdline: netsh firewall add allowedprogram"C:\Users\user\Desktop\JavaSDK.exe" "JavaSDK" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 2164 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

netsh.exe (PID: 892 cmdline: netsh firewall add allowedprogram"C:\Users\user\Desktop\JavaSDK.exe" "JavaSDK" ENABLE MD5: 4E89A1A088BE715D6C946E55AB07C7DF)

conhost.exe (PID: 7140 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

schtasks.exe (PID: 2724 cmdline: "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "JavaSDK" /tr "C:\Users\user\Desktop\JavaSDK.exe" MD5: 48C2FE20575769DE916F48EF0676A965)

conhost.exe (PID: 6572 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: 0D698AF330FD17BEE3BF90011D49251D)

JavaSDK.exe (PID: 2672 cmdline: C:\Users\user\Desktop\JavaSDK.exe MD5: 323D61AEE8261168106AA20EE6DC3272)

JavaSDK.exe (PID: 1248 cmdline: "C:\Users\user\Desktop\JavaSDK.exe" MD5: 323D61AEE8261168106AA20EE6DC3272)

JavaSDK.exe (PID: 5792 cmdline: "C:\Users\user\Desktop\JavaSDK.exe" MD5: 323D61AEE8261168106AA20EE6DC3272)

JavaSDK.exe (PID: 5640 cmdline: "C:\Users\user\Desktop\JavaSDK.exe" MD5: 323D61AEE8261168106AA20EE6DC3272)

JavaSDK.exe (PID: 5136 cmdline: "C:\Users\user\Desktop\JavaSDK.exe" MD5: 323D61AEE8261168106AA20EE6DC3272)

JavaSDK.exe (PID: 4568 cmdline: C:\Users\user\Desktop\JavaSDK.exe MD5: 323D61AEE8261168106AA20EE6DC3272)

JavaSDK.exe (PID: 2968 cmdline: C:\Users\user\Desktop\JavaSDK.exe MD5: 323D61AEE8261168106AA20EE6DC3272)

JavaSDK.exe (PID: 6104 cmdline: C:\Users\user\Desktop\JavaSDK.exe MD5: 323D61AEE8261168106AA20EE6DC3272)

JavaSDK.exe (PID: 3008 cmdline: C:\Users\user\Desktop\JavaSDK.exe MD5: 323D61AEE8261168106AA20EE6DC3272)

cleanup

Malware Configuration

Threatname: ZTrat

{"Botnet": "|<'ZT_RAT_HF9j2z24DD8P'>|", "C2 url": "7.tcp.eu.ngrok.io", "Port": 14727}

Yara Signatures

Memory Dumps

Source	Rule	Description	Author
00000009.00000002.2169146998.00000000057D1000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
00000008.00000002.2075992551.0000000005560000.00000004.08000000.00040000.00000000.sdmp	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
00000008.00000002.2064469683.00000000047DD000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
00000008.00000002.2064469683.0000000003E05000.00000004.00000800.00020000.00000000.sdmp	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security

Unpacked PEs

Source	Rule	Description	Author
8.2.JavaSDK.exe.3e05570.0.unpack	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
8.2.JavaSDK.exe.5560000.2.raw.unpack	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
8.2.JavaSDK.exe.4a9b660.1.raw.unpack	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
8.2.JavaSDK.exe.5560000.2.unpack	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
8.2.JavaSDK.exe.4a9b660.1.unpack	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
8.2.JavaSDK.exe.3e05570.0.raw.unpack	JoeSecurity_ZTrat	Yara detected ZTrat	Joe Security
Click to see the 1 entries

Sigma Signatures

Sigma detected: CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Desktop\JavaSDK.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\JavaSDK.exe, ProcessId: 4760, TargetObject: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\JavaSDK

Sigma detected: Startup Folder File Write

Source: File created

Author: Roberto Rodriguez (Cyb3rWard0g), OTR (Open Threat Research): Data: EventID: 11, Image: C:\Users\user\Desktop\JavaSDK.exe, ProcessId: 4760, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JavaSDK.lnk

Sigma detected: Wow6432Node CurrentVersion Autorun Keys Modification

Source: Registry Key set

Author: Victor Sergeev, Daniil Yugoslavskiy, Gleb Sukhodolskiy, Timur Zinniatullin, oscd.community, Tim Shelton, frack113 (split): Data: Details: "C:\Users\user\Desktop\JavaSDK.exe", EventID: 13, EventType: SetValue, Image: C:\Users\user\Desktop\JavaSDK.exe, ProcessId: 4760, TargetObject: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\JavaSDK

Suricata Signatures

⊘No Suricata rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Antivirus / Scanner detection for submitted sample

Source: JavaSDK.exe

Avira: detected

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Roaming\Recovery.exe

Avira: detection malicious, Label: HEUR/AGEN.1326753

Found malware configuration

Source: 8.2.JavaSDK.exe.4a9b660.1.raw.unpack

Malware Configuration Extractor: ZTrat {"Botnet": "|<'ZT_RAT_HF9j2z24DD8P'>|", "C2 url": "7.tcp.eu.ngrok.io", "Port": 14727}

Multi AV Scanner detection for domain / URL

Source: 7.tcp.eu.ngrok.io

Virustotal: Detection: 12%

Perma Link

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Roaming\Recovery.exe

ReversingLabs: Detection: 70%

Multi AV Scanner detection for submitted file

Source: JavaSDK.exe	ReversingLabs: Detection: 34%
Source: JavaSDK.exe	Virustotal: Detection: 30%			Perma Link

Yara detected ZTrat

Source: Yara match	File source: 8.2.JavaSDK.exe.3e05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.5560000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.4a9b660.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.5560000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.4a9b660.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.3e05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2169146998.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2075992551.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2064469683.00000000047DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2064469683.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 99.9% probability

Machine Learning detection for dropped file

Source: C:\Users\user\AppData\Roaming\Recovery.exe

Joe Sandbox ML: detected

Machine Learning detection for sample

Source: JavaSDK.exe

Joe Sandbox ML: detected

Source: JavaSDK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: JavaSDK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb` source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PluginLoader.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp, Recovery.exe.0.dr
Source:	Binary string: C:\StartupManager\StartupManager\obj\Debug\StartupManager.pdbP source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\AudioCapture\AudioCapture\obj\Debug\AudioCapture.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Microphone\Microphone\obj\Debug\Microphone.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\RemoteCamera\RemoteCamera\obj\Debug\RemoteCamera.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\StartupManager\StartupManager\obj\Debug\StartupManager.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\AudioCapture\AudioCapture\obj\Debug\AudioCapture.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp

Networking

C2 URLs / IPs found in malware configuration

Source: Malware configuration extractor

URLs: 7.tcp.eu.ngrok.io

Source: global traffic	TCP traffic: 192.168.2.5:49704 -> 3.67.15.169:14727
Source: global traffic	TCP traffic: 192.168.2.5:54877 -> 35.157.111.131:14727
Source: global traffic	TCP traffic: 192.168.2.5:54887 -> 3.68.56.232:14727

Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: Joe Sandbox View	IP Address: 208.95.112.1 208.95.112.1
Source: Joe Sandbox View	IP Address: 3.67.15.169 3.67.15.169

Source: Joe Sandbox View

ASN Name: AMAZON-02US AMAZON-02US

Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com
Source: unknown	DNS query: name: ip-api.com

Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown	UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive
Source: global traffic	HTTP traffic detected: GET /xml/?fields=countryCode,query HTTP/1.1Host: ip-api.comConnection: Keep-Alive

Source: global traffic	DNS traffic detected: DNS query: 7.tcp.eu.ngrok.io
Source: global traffic	DNS traffic detected: DNS query: ip-api.com

Source: JavaSDK.exe, 00000000.00000002.4476872484.0000000002F47000.00000004.00000800.00020000.00000000.sdmp, JavaSDK.exe, 00000000.00000002.4476872484.0000000002F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com
Source: JavaSDK.exe, 00000000.00000002.4476872484.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp, JavaSDK.exe, 00000000.00000002.4476872484.0000000002F29000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ip-api.com/xml/?fields=countryCode
Source: JavaSDK.exe, 00000000.00000002.4476872484.0000000002EF1000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://schemas.xmlsoap.org/ws/2005/05/identity/claims/name

E-Banking Fraud

Yara detected ZTrat

Source: Yara match	File source: 8.2.JavaSDK.exe.3e05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.5560000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.4a9b660.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.5560000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.4a9b660.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.3e05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2169146998.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2075992551.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2064469683.00000000047DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2064469683.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\JavaSDK.exe

Process Stats: CPU usage > 49%

Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CECB38	0_2_02CECB38
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE4FF0	0_2_02CE4FF0
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE9798	0_2_02CE9798
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CEAB37	0_2_02CEAB37
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE4FE0	0_2_02CE4FE0
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE5090	0_2_02CE5090
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE5175	0_2_02CE5175
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE5117	0_2_02CE5117
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE564D	0_2_02CE564D
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE57EE	0_2_02CE57EE
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE5729	0_2_02CE5729
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE5987	0_2_02CE5987
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE3F58	0_2_02CE3F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE3F68	0_2_02CE3F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_02CE9CB0	0_2_02CE9CB0
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098E6728	0_2_098E6728
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098E0015	0_2_098E0015
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098E0040	0_2_098E0040
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F6B38	0_2_098F6B38
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0040	0_2_098F0040
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F7408	0_2_098F7408
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0936	0_2_098F0936
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0861	0_2_098F0861
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0B85	0_2_098F0B85
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0A0B	0_2_098F0A0B
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F1A1C	0_2_098F1A1C
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0D21	0_2_098F0D21
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F7FA8	0_2_098F7FA8
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F7FB8	0_2_098F7FB8
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F1F0D	0_2_098F1F0D
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0E9B	0_2_098F0E9B
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098FE138	0_2_098FE138
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F2169	0_2_098F2169
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0011	0_2_098F0011
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F1040	0_2_098F1040
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F23CF	0_2_098F23CF
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F03C9	0_2_098F03C9
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F228E	0_2_098F228E
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F129F	0_2_098F129F
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F0543	0_2_098F0543
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F14EE	0_2_098F14EE
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F1419	0_2_098F1419
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F67F0	0_2_098F67F0
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F2751	0_2_098F2751
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F06E7	0_2_098F06E7
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 0_2_098F1668	0_2_098F1668
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 8_2_01243F68	8_2_01243F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 8_2_01243F58	8_2_01243F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 9_2_00A43F68	9_2_00A43F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 9_2_00A43F58	9_2_00A43F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 11_2_02843F58	11_2_02843F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 11_2_02843F68	11_2_02843F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 12_2_03263F68	12_2_03263F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 12_2_03263F58	12_2_03263F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 13_2_01893F58	13_2_01893F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 13_2_01893F68	13_2_01893F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 15_2_032A3F68	15_2_032A3F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 15_2_032A3F58	15_2_032A3F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 16_2_02E43F68	16_2_02E43F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 16_2_02E43F58	16_2_02E43F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 17_2_00A03F68	17_2_00A03F68
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 17_2_00A03F58	17_2_00A03F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 18_2_00C93F58	18_2_00C93F58
Source: C:\Users\user\Desktop\JavaSDK.exe	Code function: 18_2_00C93F68	18_2_00C93F68

Source: Joe Sandbox View

Dropped File: C:\Users\user\AppData\Roaming\Recovery.exe 50BA6F23ECABABDAB3CE09CD1E93EDCE9539EB82E2D51C9A38D84CBD896EEEF2

Source: JavaSDK.exe, 00000000.00000002.4474250934.0000000000F57000.00000004.00000010.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameUNKNOWN_FILET vs JavaSDK.exe
Source: JavaSDK.exe, 0000000B.00000002.2247796327.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dll vs JavaSDK.exe
Source: JavaSDK.exe, 00000012.00000002.4466688086.0000000000907000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: OriginalFilenameclr.dllT vs JavaSDK.exe

Source: JavaSDK.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Recovery.exe.0.dr

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: JavaSDK.exe, Crypter.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.cs	Cryptographic APIs: 'CreateDecryptor'
Source: 0.2.JavaSDK.exe.86d03d3.4.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.JavaSDK.exe.86d03d3.4.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.JavaSDK.exe.87543dd.2.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'
Source: 0.2.JavaSDK.exe.87543dd.2.raw.unpack, ZT_RAT_Resolver.cs	Cryptographic APIs: 'TransformFinalBlock'

Source: classification engine

Classification label: mal100.troj.evad.winEXE@19/5@7/4

Source: C:\Users\user\Desktop\JavaSDK.exe

File created: C:\Users\user\AppData\Roaming\Recovery.exe

Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2164:120:WilError_03
Source: C:\Users\user\Desktop\JavaSDK.exe	Mutant created: \Sessions\1\BaseNamedObjects\ZT_RAT_5Ot8VKR147SnDh32JcxC68822i2qY74E25
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7140:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6572:120:WilError_03

Source: JavaSDK.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: JavaSDK.exe

Static file information: TRID: Win32 Executable (generic) Net Framework (10011505/4) 49.80%

Source: C:\Users\user\Desktop\JavaSDK.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: JavaSDK.exe	ReversingLabs: Detection: 34%
Source: JavaSDK.exe	Virustotal: Detection: 30%

Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe "C:\Users\user\Desktop\JavaSDK.exe"
Source: C:\Users\user\Desktop\JavaSDK.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\JavaSDK.exe" "JavaSDK" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JavaSDK.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\JavaSDK.exe" "JavaSDK" ENABLE
Source: C:\Windows\SysWOW64\netsh.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Users\user\Desktop\JavaSDK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "JavaSDK" /tr "C:\Users\user\Desktop\JavaSDK.exe"
Source: C:\Windows\SysWOW64\schtasks.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe C:\Users\user\Desktop\JavaSDK.exe
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe "C:\Users\user\Desktop\JavaSDK.exe"
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe "C:\Users\user\Desktop\JavaSDK.exe"
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe "C:\Users\user\Desktop\JavaSDK.exe"
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe "C:\Users\user\Desktop\JavaSDK.exe"
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe C:\Users\user\Desktop\JavaSDK.exe
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe C:\Users\user\Desktop\JavaSDK.exe
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe C:\Users\user\Desktop\JavaSDK.exe
Source: unknown	Process created: C:\Users\user\Desktop\JavaSDK.exe C:\Users\user\Desktop\JavaSDK.exe
Source: C:\Users\user\Desktop\JavaSDK.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\JavaSDK.exe" "JavaSDK" ENABLE	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\JavaSDK.exe" "JavaSDK" ENABLE	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "JavaSDK" /tr "C:\Users\user\Desktop\JavaSDK.exe"	Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: linkinfo.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ntshrui.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cscapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rtutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ondemandconnroutehelper.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ifmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasmontr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasapi32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rasman.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mfc42u.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: authfwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwpolicyiomgr.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: firewallapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcmonitor.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3cfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dot3api.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: onex.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: eappprxy.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: fwcfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: hnetmon.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netshell.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netsetupapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: netiohlp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winnsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: httpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: activeds.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: polstore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winipsec.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: adsldpc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: nshwfp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cabinet.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2pnetsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: p2p.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rpcnsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: whhelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: winhttp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlancfg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wlanapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wshelper.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wevtapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: peerdistsh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wcmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: rmclient.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mobilenetworking.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: ktmw32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: mprmsg.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: taskschd.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\SysWOW64\schtasks.exe	Section loaded: xmllite.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: mscoree.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: kernel.appcore.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: version.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: vcruntime140_clr0400.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: ucrtbase_clr0400.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptsp.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: rsaenh.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: cryptbase.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: wldp.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: amsi.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: userenv.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: profapi.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: msasn1.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: gpapi.dll
Source: C:\Users\user\Desktop\JavaSDK.exe	Section loaded: uxtheme.dll

Source: C:\Users\user\Desktop\JavaSDK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0EE7644B-1BAD-48B1-9889-0281C206EB85}\InprocServer32

Jump to behavior

Source: JavaSDK.lnk.0.dr

LNK file: ..\..\..\..\..\..\..\Desktop\JavaSDK.exe

Source: C:\Users\user\Desktop\JavaSDK.exe

File opened: C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorrc.dll

Jump to behavior

Source: JavaSDK.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR

Source: JavaSDK.exe

Static PE information: Virtual size of .text is bigger than: 0x100000

Source: JavaSDK.exe

Static file information: File size 2882560 > 1048576

Source: JavaSDK.exe

Static PE information: Raw size of .text is bigger than: 0x100000 < 0x2bf400

Source: JavaSDK.exe

Static PE information: HIGH_ENTROPY_VA, DYNAMIC_BASE, NX_COMPAT, NO_SEH, TERMINAL_SERVER_AWARE

Source:	Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Chat\Chat\obj\Debug\Chat.pdb` source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: PluginLoader.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp, Recovery.exe.0.dr
Source:	Binary string: C:\StartupManager\StartupManager\obj\Debug\StartupManager.pdbP source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\AudioCapture\AudioCapture\obj\Debug\AudioCapture.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\Microphone\Microphone\obj\Debug\Microphone.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: c:\RemoteCamera\RemoteCamera\obj\Debug\RemoteCamera.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\StartupManager\StartupManager\obj\Debug\StartupManager.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp
Source:	Binary string: C:\AudioCapture\AudioCapture\obj\Debug\AudioCapture.pdb source: JavaSDK.exe, 00000000.00000002.4485692871.00000000086D0000.00000004.08000000.00040000.00000000.sdmp

Data Obfuscation

.NET source code contains potential unpacker

Source: JavaSDK.exe, Program.cs	.Net Code: Main
Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.cs	.Net Code: NWcBDLfA2xZ1tRDixM System.Reflection.Assembly.Load(byte[])

Source: C:\Users\user\Desktop\JavaSDK.exe

Code function: 0_2_098E0E80 pushfd ; retf

0_2_098E0ED1

Source: Recovery.exe.0.dr

Static PE information: section name: .text entropy: 7.971057347412118

Source: Recovery.exe.0.dr, NHo8Kxf1tmObMSoUDI.cs	High entropy of concatenated method names: 'Y7u4B2dCuk', 'Da54reTuLO', 'uYj4gKIhw5', 'njP4PBod3Y', 'HdT4QBGQ0b', 'Qyq4AxML9R', 'fhc49cm4i2', 'aOx4MWC618', 'U554ObJImv', 'HPJ40rcGf5'
Source: Recovery.exe.0.dr, MP5oX3TsUhmnjXxdWS.cs	High entropy of concatenated method names: 'ce4DmfsmSrOT856tDgfrkMb', 'kYd4vQX9Yy', 'tLYhl8JOA1PxR', 'AHW2wpGmj', 'mIwlVflxN', 'O8KfDo4M0', 'XIXqirSmE', 'mmVBvHpT6', 'K39rOyNI0', 'MLogIiUCe'

Source: C:\Users\user\Desktop\JavaSDK.exe

File created: C:\Users\user\AppData\Roaming\Recovery.exe

Jump to dropped file

Boot Survival

Uses schtasks.exe or at.exe to add and modify task schedules

Source: C:\Users\user\Desktop\JavaSDK.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "JavaSDK" /tr "C:\Users\user\Desktop\JavaSDK.exe"

Source: C:\Users\user\Desktop\JavaSDK.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JavaSDK.lnk

Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe

File created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JavaSDK.lnk

Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JavaSDK	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run JavaSDK	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaSDK	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Registry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run JavaSDK	Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Users\user\Desktop\JavaSDK.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2CE0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2EF0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2E10000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 6010000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 55F0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 7480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 8480000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 1240000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2B30000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: A40000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2890000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: C50000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 57D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 4D70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 29B0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2760000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 5A90000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 5070000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 3260000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 3420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 5420000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 1850000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 32C0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 31D0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 63A0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 5940000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 1910000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 3500000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 3200000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 6440000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 59E0000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2E00000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 4E70000 memory reserve \| memory write watch	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: A00000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2690000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 24C0000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: C90000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 2620000 memory reserve \| memory write watch
Source: C:\Users\user\Desktop\JavaSDK.exe	Memory allocated: 4620000 memory reserve \| memory write watch

Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477

Source: C:\Users\user\Desktop\JavaSDK.exe	Window / User API: threadDelayed 2253	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Window / User API: threadDelayed 3778	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Window / User API: threadDelayed 3608	Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe

Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Recovery.exe

Jump to dropped file

Source: C:\Users\user\Desktop\JavaSDK.exe TID: 3060	Thread sleep count: 194 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 7088	Thread sleep count: 2253 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 7088	Thread sleep time: -9012000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 6392	Thread sleep count: 3778 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 6392	Thread sleep time: -37780s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 7088	Thread sleep count: 3608 > 30	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 7088	Thread sleep time: -14432000s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 4288	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 4708	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 3116	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 7064	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 5836	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 7080	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 5016	Thread sleep time: -922337203685477s >= -30000s
Source: C:\Users\user\Desktop\JavaSDK.exe TID: 5752	Thread sleep time: -922337203685477s >= -30000s

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477
Source: C:\Users\user\Desktop\JavaSDK.exe	Thread delayed: delay time: 922337203685477

Source: JavaSDK.exe, 0000000B.00000002.2247796327.0000000000AB8000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: vMCi(
Source: JavaSDK.exe, 00000000.00000002.4489049571.0000000008DC0000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000002.00000003.2033387188.00000000034E1000.00000004.00000020.00020000.00000000.sdmp, netsh.exe, 00000004.00000003.2035530004.0000000000981000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Users\user\Desktop\JavaSDK.exe

Process token adjusted: Debug

Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe

Memory allocated: page read and write | page guard

Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe

Process created: C:\Windows\SysWOW64\schtasks.exe "C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "JavaSDK" /tr "C:\Users\user\Desktop\JavaSDK.exe"

Jump to behavior

Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Drawing\v4.0_4.0.0.0__b03f5f7f11d50a3a\System.Drawing.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Accessibility\v4.0_4.0.0.0__b03f5f7f11d50a3a\Accessibility.dll VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\SysWOW64\netsh.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation	Jump to behavior
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Users\user\Desktop\JavaSDK.exe VolumeInformation
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\Microsoft.VisualBasic\v4.0_10.0.0.0__b03f5f7f11d50a3a\Microsoft.VisualBasic.dll VolumeInformation
Source: C:\Users\user\Desktop\JavaSDK.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Windows.Forms\v4.0_4.0.0.0__b77a5c561934e089\System.Windows.Forms.dll VolumeInformation

Source: C:\Users\user\Desktop\JavaSDK.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Modifies the windows firewall

Source: C:\Users\user\Desktop\JavaSDK.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\JavaSDK.exe" "JavaSDK" ENABLE

Uses netsh to modify the Windows network and firewall settings

Source: C:\Users\user\Desktop\JavaSDK.exe

Process created: C:\Windows\SysWOW64\netsh.exe netsh firewall add allowedprogram"C:\Users\user\Desktop\JavaSDK.exe" "JavaSDK" ENABLE

Source: JavaSDK.exe, 00000000.00000002.4489049571.0000000008DC0000.00000004.00000020.00020000.00000000.sdmp, JavaSDK.exe, 00000000.00000002.4489662548.0000000008E93000.00000004.00000020.00020000.00000000.sdmp, JavaSDK.exe, 00000000.00000002.4474494860.0000000001142000.00000004.00000020.00020000.00000000.sdmp, JavaSDK.exe, 00000000.00000002.4474494860.0000000001174000.00000004.00000020.00020000.00000000.sdmp, JavaSDK.exe, 00000000.00000002.4489662548.0000000008E65000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct
Source: C:\Users\user\Desktop\JavaSDK.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntivirusProduct

Stealing of Sensitive Information

Yara detected ZTrat

Source: Yara match	File source: 8.2.JavaSDK.exe.3e05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.5560000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.4a9b660.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.5560000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.4a9b660.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.3e05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2169146998.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2075992551.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2064469683.00000000047DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2064469683.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Remote Access Functionality

Yara detected ZTrat

Source: Yara match	File source: 8.2.JavaSDK.exe.3e05570.0.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.5560000.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.4a9b660.1.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.5560000.2.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.4a9b660.1.unpack, type: UNPACKEDPE
Source: Yara match	File source: 8.2.JavaSDK.exe.3e05570.0.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: 00000009.00000002.2169146998.00000000057D1000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2075992551.0000000005560000.00000004.08000000.00040000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2064469683.00000000047DD000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match	File source: 00000008.00000002.2064469683.0000000003E05000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	1 Windows Management Instrumentation	1 Scheduled Task/Job	11 Process Injection	1 Masquerading	OS Credential Dumping	121 Security Software Discovery	Remote Services	11 Archive Collected Data	1 Encrypted Channel	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	1 Scheduled Task/Job	21 Registry Run Keys / Startup Folder	1 Scheduled Task/Job	21 Disable or Modify Tools	LSASS Memory	31 Virtualization/Sandbox Evasion	Remote Desktop Protocol	Data from Removable Media	1 Non-Standard Port	Exfiltration Over Bluetooth	Network Denial of Service
Email Addresses	DNS Server	Domain Accounts	At	1 DLL Side-Loading	21 Registry Run Keys / Startup Folder	31 Virtualization/Sandbox Evasion	Security Account Manager	1 Application Window Discovery	SMB/Windows Admin Shares	Data from Network Shared Drive	1 Ingress Tool Transfer	Automated Exfiltration	Data Encrypted for Impact
Employee Names	Virtual Private Server	Local Accounts	Cron	Login Hook	1 DLL Side-Loading	11 Process Injection	NTDS	1 System Network Configuration Discovery	Distributed Component Object Model	Input Capture	2 Non-Application Layer Protocol	Traffic Duplication	Data Destruction
Gather Victim Network Information	Server	Cloud Accounts	Launchd	Network Logon Script	Network Logon Script	1 Deobfuscate/Decode Files or Information	LSA Secrets	1 File and Directory Discovery	SSH	Keylogging	12 Application Layer Protocol	Scheduled Transfer	Data Encrypted for Impact
Domain Properties	Botnet	Replication Through Removable Media	Scheduled Task	RC Scripts	RC Scripts	2 Obfuscated Files or Information	Cached Domain Credentials	12 System Information Discovery	VNC	GUI Input Capture	Multiband Communication	Data Transfer Size Limits	Service Stop
DNS	Web Services	External Remote Services	Systemd Timers	Startup Items	Startup Items	12 Software Packing	DCSync	Remote System Discovery	Windows Remote Management	Web Portal Capture	Commonly Used Port	Exfiltration Over C2 Channel	Inhibit System Recovery
Network Trust Dependencies	Serverless	Drive-by Compromise	Container Orchestration Job	Scheduled Task/Job	Scheduled Task/Job	1 DLL Side-Loading	Proc Filesystem	System Owner/User Discovery	Cloud Services	Credential API Hooking	Application Layer Protocol	Exfiltration Over Alternative Protocol	Defacement

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report JavaSDK.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Threatname: ZTrat

Yara Signatures

Memory Dumps

Unpacked PEs

Sigma Signatures

System Summary

Suricata Signatures

Joe Sandbox Signatures

AV Detection

Compliance

Networking

E-Banking Fraud

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Windows Analysis Report
JavaSDK.exe