Windows Analysis Report
Tax_Documents_PDF.jar

Overview

General Information

Sample name: Tax_Documents_PDF.jar
Analysis ID: 1606866
MD5: 2f49427faa6c14c15ed0c6f81827acd8
SHA1: c38853655041183c2e9ef3cdb3aa47a5436cc110
SHA256: e042bfca3591d883de83fa82533a7be0995c877c276e0a3e48d43637f874bb96
Tags: jaruser-malrpt
Infos:

Detection

Dynamic Stealer
Score: 96
Range: 0 - 100
Confidence: 100%

Signatures

Malicious sample detected (through community Yara rule)
Sigma detected: Register Jar In Run Key
Suricata IDS alerts for network traffic
Yara detected Dynamic Stealer
Creates autostart registry keys to launch java
Exploit detected, runtime environment starts unknown processes
Java Jar creates autostart registry key (Windows persistence behavior)
Uses cmd line tools excessively to alter registry or file data
Yara detected AllatoriJARObfuscator
Yara detected Skidfuscator
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Found inlined nop instructions (likely shell or obfuscated code)
Internet Provider seen in connection with other malware
Java Jar is obfuscated using Allatori
Launches a Java Jar file from a suspicious file location
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion Autorun Keys Modification
Sigma detected: Direct Autorun Keys Modification
Sigma detected: Potential Persistence Attempt Via Run Keys Using Reg.EXE
Sigma detected: Shell Process Spawned by Java.EXE
Sigma detected: Use Short Name Path in Command Line
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses reg.exe to modify the Windows registry
Yara signature match

Classification

Software Vulnerabilities

barindex
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 4x nop then cmp eax, dword ptr [ecx+04h] 2_2_02F82DFE

Networking

barindex
Source: Network traffic Suricata IDS: 2853044 - Severity 1 - ETPRO MALWARE Java/Adwind Variant CnC Activity : 192.168.2.7:49703 -> 45.134.225.90:8899
Source: global traffic TCP traffic: 192.168.2.7:49703 -> 45.134.225.90:8899
Source: Joe Sandbox View ASN Name: DAINTERNATIONALGROUPGB DAINTERNATIONALGROUPGB
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: unknown TCP traffic detected without corresponding DNS query: 45.134.225.90
Source: java.exe, 00000002.00000002.2495777355.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A3ED000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A1ED000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A509000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2495777355.000000000A6CF000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2497675280.00000000159E7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2491806546.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1458780566.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1457672595.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541737613.00000000158D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541083741.00000000158D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A509000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crtS
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A509000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A513000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A30F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2495777355.000000000A6CF000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2497675280.00000000159E7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2491806546.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1458780566.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1457672595.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541737613.00000000158D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541083741.00000000158D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A513000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A30F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A513000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A30F000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2497675280.00000000159E7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2491806546.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1458780566.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1457672595.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541737613.00000000158D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541083741.00000000158D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: java.exe, 00000002.00000002.2495777355.000000000A610000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A1F3000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.2498081738.0000000015E4D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2497675280.00000000159E7000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000002.00000002.2495777355.000000000A7D9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2491806546.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1458780566.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1457672595.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541012322.00000000158F1000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2491886047.0000000015900000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A509000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2495777355.000000000A6CF000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2497675280.00000000159E7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2491806546.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1458780566.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1457672595.0000000015A2E000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541737613.00000000158D4000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1541083741.00000000158D3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: java.exe, 00000002.00000002.2495777355.000000000A650000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2487573447.000000000523B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A4F6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A54A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2489064752.000000000A39A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A19A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2488907139.000000000A349000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000013.00000002.2487552682.000000000504C000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: java.exe, 00000002.00000002.2495777355.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000002.00000002.2495777355.000000000A5E4000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.allatori.com

System Summary

barindex
Source: 00000002.00000002.2495777355.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: 00000002.00000002.2495777355.000000000A5E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: Process Memory Space: java.exe PID: 5780, type: MEMORYSTR Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: C:\cmdlinestart.log, type: DROPPED Matched rule: Detects files packed with Allatori Java Obfuscator Author: ditekSHen
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f
Source: 00000002.00000002.2495777355.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: 00000002.00000002.2495777355.000000000A5E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: Process Memory Space: java.exe PID: 5780, type: MEMORYSTR Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: C:\cmdlinestart.log, type: DROPPED Matched rule: INDICATOR_JAVA_Packed_Allatori author = ditekSHen, description = Detects files packed with Allatori Java Obfuscator
Source: classification engine Classification label: mal96.troj.expl.evad.winJAR@24/8@0/1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2246122658-3693405117-2476756634-1003\83aa4cc77f591dfc2374580bbd95f6ba_9e146be9-c76a-4720-bcdb-53011b87bd06 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7672:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7204:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe File created: C:\Users\user~1\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f
Source: unknown Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f
Source: unknown Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f"
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: windowscodecs.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dataexchange.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: d3d11.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dcomp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dxgi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: twinapi.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4657278A-411B-11d2-839A-00C04FD918D0}\InProcServer32 Jump to behavior

Data Obfuscation

barindex
Source: Yara match File source: 00000002.00000002.2495777355.000000000A5F8000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2495777355.000000000A5E4000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: C:\cmdlinestart.log, type: DROPPED
Source: Yara match File source: 00000002.00000002.2499362699.0000000016B10000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2499362699.0000000016BAC000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2486303183.0000000001114000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2486347292.00000000013C3000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7588, type: MEMORYSTR
Source: Java tracing Executes: java.io.Writer.write(java.lang.String) on Obfuscation by Allatori Obfuscator v6.0 DEMO ## ## http://www.allatori.com
Source: Java tracing Executes: java.io.Writer.write(java.lang.String) on Obfuscation by Allatori Obfuscator v6.0 DEMO ## ## http://www.allatori.com
Source: Java tracing Executes: java.io.Writer.write(java.lang.String) on Obfuscation by Allatori Obfuscator v5.3 DEMO ## ## http://www.allatori.com
Source: Java tracing Executes: java.io.Writer.write(java.lang.String) on Obfuscation by Allatori Obfuscator v5.3 DEMO ## ## http://www.allatori.com
Source: Java tracing Executes: java.io.Writer.write(java.lang.String) on Obfuscation by Allatori Obfuscator v5.3 DEMO ## ## http://www.allatori.com
Source: Java tracing Executes: java.lang.ProcessBuilder(java.lang.String[]) on cmd.exe /c reg add hkey_current_user\software\microsoft\windows\currentversion\run /v home /d "c:\program files (x86)\java\jre-1.8\bin\javaw.exe -jar c:\users\user\appdata\roaming\microsoft\.tmp\1738705111069.tmp" /f
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02EDD8F7 push 00000000h; mov dword ptr [esp], esp 2_2_02EDD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02EDA20A push ecx; ret 2_2_02EDA21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02EDA21B push ecx; ret 2_2_02EDA225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02EDB3B7 push 00000000h; mov dword ptr [esp], esp 2_2_02EDB3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02EDBB67 push 00000000h; mov dword ptr [esp], esp 2_2_02EDBB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02EDD8E0 push 00000000h; mov dword ptr [esp], esp 2_2_02EDD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02EDB947 push 00000000h; mov dword ptr [esp], esp 2_2_02EDB96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02EDC477 push 00000000h; mov dword ptr [esp], esp 2_2_02EDC49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02F7C2CD push ecx; retn 0022h 2_2_02F7C382
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02F817AE push ds; iretd 2_2_02F817AF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02F7C013 push es; iretd 2_2_02F7C01A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02C5D8F7 push 00000000h; mov dword ptr [esp], esp 14_2_02C5D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02C5A20A push ecx; ret 14_2_02C5A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02C5A21B push ecx; ret 14_2_02C5A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02C5B3B7 push 00000000h; mov dword ptr [esp], esp 14_2_02C5B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02C5BB67 push 00000000h; mov dword ptr [esp], esp 14_2_02C5BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02C5D8E0 push 00000000h; mov dword ptr [esp], esp 14_2_02C5D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02C5B947 push 00000000h; mov dword ptr [esp], esp 14_2_02C5B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02C5C477 push 00000000h; mov dword ptr [esp], esp 14_2_02C5C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF9AFC push ds; retn 0000h 14_2_02CF9B66
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF53CC push ebp; iretd 14_2_02CF53CE
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF53C8 push ebp; iretd 14_2_02CF53CA
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF53C4 push ebp; iretd 14_2_02CF53C6
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF53B8 push ebp; iretd 14_2_02CF53C2
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF6349 pushad ; iretd 14_2_02CF634A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF535B push esp; iretd 14_2_02CF535E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF5357 push esp; iretd 14_2_02CF535A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF5355 push esp; iretd 14_2_02CF5356
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF504B push ecx; iretd 14_2_02CF504E
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CF5047 push ecx; iretd 14_2_02CF504A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 14_2_02CFB811 push cs; retf 14_2_02CFB831

Persistence and Installation Behavior

barindex
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: reg.exe Jump to behavior

Boot Survival

barindex
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Home C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp Jump to behavior
Source: Java tracing Java Jar creates autostart registry key: java.lang.ProcessBuilder(java.lang.String[]) on cmd.exe /c REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Home Jump to behavior
Source: C:\Windows\SysWOW64\reg.exe Registry value created or modified: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run Home Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02F7DAE9 sldt word ptr [eax] 2_2_02F7DAE9
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: javaw.exe, 0000000E.00000002.2486347292.00000000012D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll)Md
Source: javaw.exe, 00000013.00000003.1487758717.00000000150C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000013.00000003.1487758717.00000000150C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.2486158726.000000000148B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2486347292.00000000012D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000013.00000003.1487758717.00000000150C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.2486158726.000000000148B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000002.2486347292.00000000012D8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.1264023388.00000000154CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 0000000E.00000003.1404765655.0000000015265000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000013.00000003.1487758717.00000000150C8000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.2486158726.000000000148B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02F730C0 LdrInitializeThunk, 2_2_02F730C0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Memory protected: page read and write | page guard Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user~1\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\Tax_Documents_PDF.jar" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c "REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f" Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\reg.exe REG ADD HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /v Home /d "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe -jar C:\Users\user\AppData\Roaming\Microsoft\.tmp\1738705111069.tmp" /f Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02ED03C0 cpuid 2_2_02ED03C0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\5780 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\jartracer.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\m17387051107872017907981161292762.tmp VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7588 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7892 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Stealing of Sensitive Information

barindex
Source: Yara match File source: 00000013.00000003.1541607047.00000000158B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1457672595.00000000159DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1541316162.000000001589F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1458780566.0000000015A1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2491806546.0000000015A14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1541083741.0000000015828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2491739336.00000000158C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1458659056.0000000015A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2499362699.0000000016C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2495777355.000000000A9C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7892, type: MEMORYSTR

Remote Access Functionality

barindex
Source: Yara match File source: 00000013.00000003.1541607047.00000000158B7000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1457672595.00000000159DD000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1541316162.000000001589F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1458780566.0000000015A1F000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2491806546.0000000015A14000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000003.1541083741.0000000015828000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2491739336.00000000158C6000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000013.00000002.2488907139.000000000A265000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000003.1458659056.0000000015A0D000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2499362699.0000000016C3A000.00000004.00000020.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 0000000E.00000002.2489064752.000000000A465000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: 00000002.00000002.2495777355.000000000A9C9000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
Source: Yara match File source: Process Memory Space: java.exe PID: 5780, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7588, type: MEMORYSTR
Source: Yara match File source: Process Memory Space: javaw.exe PID: 7892, type: MEMORYSTR