Loading ...

Play interactive tourEdit tour

Analysis Report primefaces-7.0.11.jar

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:201043
Start date:15.01.2020
Start time:00:12:43
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 3m 49s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:primefaces-7.0.11.jar
Cookbook file name:defaultwindowsfilecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:5
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Java)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:CLEAN
Classification:clean3.winJAR@7/2@0/0
EGA Information:Failed
HDC Information:Failed
HCA Information:
  • Successful, ratio: 60%
  • Number of executed functions: 42
  • Number of non-executed functions: 5
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .jar
  • Stop behavior analysis, all processes terminated
Warnings:
Show All
  • Execution Graph export aborted for target java.exe, PID 1028 because it is empty
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold30 - 100falseclean

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold40 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsCommand-Line Interface2File System Permissions Weakness1File System Permissions Weakness1Disabling Security Tools1Credential DumpingSecurity Software Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaService ExecutionPort MonitorsProcess Injection11Process Injection11Network SniffingSystem Information Discovery1Remote ServicesData from Removable MediaExfiltration Over Other Network MediumFallback ChannelsExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesWindows Management InstrumentationAccessibility FeaturesPath InterceptionObfuscated Files or Information2Input CaptureQuery RegistryWindows Remote ManagementData from Network Shared DriveAutomated ExfiltrationCustom Cryptographic ProtocolExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data

Signature Overview

Click to jump to signature section


Software Vulnerabilities:

barindex
Found inlined nop instructions (likely shell or obfuscated code)Show sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 4x nop then cmp eax, dword ptr [ecx+04h]2_2_025E9CE6
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 4x nop then cmp eax, dword ptr [ecx+04h]2_2_025E8126

Networking:

barindex
Urls found in memory or binary dataShow sources
Source: java.exe, 00000002.00000002.1762741684.0000000009BD6000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.1762464820.0000000004B19000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/#
Source: java.exe, 00000002.00000002.1762788329.0000000009BF0000.00000004.00000001.sdmp, java.exe, 00000002.00000002.1762512328.0000000004B33000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.1764171407.0000000014C23000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javase/documentation/index.html
Source: java.exe, 00000002.00000002.1761736701.00000000048C4000.00000004.00000001.sdmp, java.exe, 00000002.00000002.1762338327.0000000004AD0000.00000004.00000001.sdmp, java.exe, 00000002.00000002.1759825698.0000000000D60000.00000004.00000001.sdmpString found in binary or memory: http://www.primefaces.org

System Summary:

barindex
Detected potential crypto functionShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025F62202_2_025F6220
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025EEF2F2_2_025EEF2F
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_02686C302_2_02686C30
Classification labelShow sources
Source: classification engineClassification label: clean3.winJAR@7/2@0/0
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1132:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3300:120:WilError_01
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
Executable is probably coded in javaShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_171\bin\client\jvm.dllJump to behavior
Reads software policiesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Sample might require command line argumentsShow sources
Source: java.exeString found in binary or memory: sun/launcher/
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\primefaces-7.0.11.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\primefaces-7.0.11.jar'
Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\primefaces-7.0.11.jar' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
Submission file is bigger than most known malware samplesShow sources
Source: primefaces-7.0.11.jarStatic file information: File size 4845282 > 1048576
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_0254B377 push 00000000h; mov dword ptr [esp], esp2_2_0254B39D
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_0254BB27 push 00000000h; mov dword ptr [esp], esp2_2_0254BB4D
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_0254B907 push 00000000h; mov dword ptr [esp], esp2_2_0254B92D
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_0254A1DB push ecx; ret 2_2_0254A1E5
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_0254A1CA push ecx; ret 2_2_0254A1DA
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_0254C437 push 00000000h; mov dword ptr [esp], esp2_2_0254C45D
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025E0767 push edx; ret 2_2_025E076B
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025E9A91 push cs; retf 2_2_025E9AB1
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025EA710 push es; retf 0014h2_2_025EA732
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025EF72E push esp; ret 2_2_025EF72F
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025EF7CB push edx; ret 2_2_025EF7CD
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025EF8C9 push esp; ret 2_2_025EF8CA
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025EF96B push edx; ret 2_2_025EF96D
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_2_025EF5C8 push esp; ret 2_2_025EF5C9

Hooking and other Techniques for Hiding and Protection:

barindex
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Malware Analysis System Evasion:

barindex
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: java.exe, 00000002.00000003.1744351123.0000000014B50000.00000004.00000001.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.1764628245.0000000014E80000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000003.1744351123.0000000014B50000.00000004.00000001.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.1759953532.0000000000FC0000.00000004.00000001.sdmpBinary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000003.1744351123.0000000014B50000.00000004.00000001.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.1759953532.0000000000FC0000.00000004.00000001.sdmpBinary or memory string: O[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.1744351123.0000000014B50000.00000004.00000001.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.1764628245.0000000014E80000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000002.1764628245.0000000014E80000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: java.exe, 00000002.00000002.1764628245.0000000014E80000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeMemory protected: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\primefaces-7.0.11.jar' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 process2 2 Behavior Graph ID: 201043 Sample: primefaces-7.0.11.jar Startdate: 15/01/2020 Architecture: WINDOWS Score: 3 7 cmd.exe 2 2->7         started        process3 9 java.exe 5 7->9         started        11 conhost.exe 7->11         started        process4 13 icacls.exe 1 9->13         started        process5 15 conhost.exe 13->15         started       

Simulations

Behavior and APIs

No simulations

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
primefaces-7.0.11.jar0%VirustotalBrowse

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://bugreport.sun.com/bugreport/#0%VirustotalBrowse
http://bugreport.sun.com/bugreport/#0%Avira URL Cloudsafe
http://bugreport.sun.com/bugreport/0%VirustotalBrowse
http://bugreport.sun.com/bugreport/0%Avira URL Cloudsafe

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Sigma Overview

No Sigma rule has matched

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

JA3 Fingerprints

No context

Dropped Files

No context

Startup

  • System is w10x64
  • cmd.exe (PID: 2080 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\primefaces-7.0.11.jar'' >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 3300 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 1028 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\primefaces-7.0.11.jar' MD5: 6871F6B74CA631B95B6CE1DEEFB487E7)
      • icacls.exe (PID: 224 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 1132 cmdline: C:\Windows\system32\conhost.exe 0x4 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d80db.timestamp
Process:C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):57
Entropy (8bit):4.883083602104782
Encrypted:false
MD5:AF1B00573A73A72DBC430A5ED8F93B49
SHA1:9606B18C823E5668CBC7570BC806C5D5B0198CF1
SHA-256:5A80024E2B12BD7B555BC1EA7BB336E1E3C228D2ECF8FCF68745CD723984379F
SHA-512:CACBE86974019471D87A387452CF110CAC3DB037561663661A240A931EB3ECF43A70FEFAB7DE70D9E095577BAF96038C9670D75C9CC23F399D8D4E4C14B26586
Malicious:false
Reputation:low
Preview: C:\Program Files (x86)\Java\jre1.8.0_171..1579076032122..
C:\cmdlinestart.log
Process:C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe
File Type:ASCII text, with CRLF line terminators
Size (bytes):136
Entropy (8bit):4.880405017017448
Encrypted:false
MD5:C070A69365AD23130DE9DCBF8E5C3337
SHA1:5E8CC147880BB721646E529E19A8753AF227602E
SHA-256:5BD215C480472C7C153F701DECDE9CDC11C4D5405E1C5E29F53A0D49D71F5968
SHA-512:7947491A38CA584A1FCE61C072A3C06762516FB01FFE06931349E75D60DCAF0E7CA04084182ED3E9144E768EA82D02C00DBFC3CA0A824BBD3B0DF82C6A1C19FF
Malicious:false
Reputation:low
Preview: no main manifest attribute, in C:\Users\user\Desktop\primefaces-7.0.11.jartid:1 m:java.io.Writer.write(java.lang.String) a0:DQo= r:....

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://bugreport.sun.com/bugreport/#java.exe, 00000002.00000002.1762464820.0000000004B19000.00000004.00000001.sdmpfalse
  • 0%, Virustotal, Browse
  • Avira URL Cloud: safe
low
http://java.oracle.com/java.exe, 00000002.00000002.1762788329.0000000009BF0000.00000004.00000001.sdmp, java.exe, 00000002.00000002.1762512328.0000000004B33000.00000004.00000001.sdmpfalse
    high
    http://www.primefaces.orgjava.exe, 00000002.00000002.1761736701.00000000048C4000.00000004.00000001.sdmp, java.exe, 00000002.00000002.1762338327.0000000004AD0000.00000004.00000001.sdmp, java.exe, 00000002.00000002.1759825698.0000000000D60000.00000004.00000001.sdmpfalse
      high
      http://www.oracle.com/technetwork/java/javase/documentation/index.htmljava.exe, 00000002.00000002.1764171407.0000000014C23000.00000004.00000001.sdmpfalse
        high
        http://bugreport.sun.com/bugreport/java.exe, 00000002.00000002.1762741684.0000000009BD6000.00000004.00000001.sdmpfalse
        • 0%, Virustotal, Browse
        • Avira URL Cloud: safe
        low

        Contacted IPs

        No contacted IP infos

        Static File Info

        General

        File type:Java archive data (JAR)
        Entropy (8bit):7.958871266331203
        TrID:
        • Java Archive (13504/1) 62.80%
        • ZIP compressed archive (8000/1) 37.20%
        File name:primefaces-7.0.11.jar
        File size:4845282
        MD5:2089d23605a1e5e82d8f4521d92f876a
        SHA1:b70d7e8c9be5580c4bf7c058218b5270c7876c88
        SHA256:ea05ca179d577266672dd30ecc209f8a1d1f9489c6347cbcb05aa5a07d70653c
        SHA512:f4ffd9a96b9bacec5fd174a1e14f64434a560b399875b3c4ad0e91a9d13529694ca163439492f2b8c221c01f281fa7328bcca8f43b03663cca641e87ea403e2a
        SSDEEP:98304:eY2VuEmsD4wdoCvndJSsSxyTE1Oba0BJ2lERmTs/SzgJGOWmi/PZEX4jm70B:eGsDLSQnOLyTF32imo7vW740B
        File Content Preview:PK...........O................META-INF/......PK..............PK...........O................META-INF/MANIFEST.MF.=..............ne.....~Xg...80.$/..`....VI.....><...x;......=%..<.._....-.......M}.{[.!.~<..;.z......|............?.o..o....uY...f.... !.......

        File Icon

        Icon Hash:d28c8e8ea2868ad6

        Network Behavior

        No network behavior found

        Code Manipulations

        Statistics

        CPU Usage

        Click to jump to process

        Memory Usage

        Click to jump to process

        High Level Behavior Distribution

        Click to dive into process behavior distribution

        Behavior

        Click to jump to process

        System Behavior

        General

        Start time:00:13:48
        Start date:15/01/2020
        Path:C:\Windows\SysWOW64\cmd.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\primefaces-7.0.11.jar'' >> C:\cmdlinestart.log 2>&1
        Imagebase:0xb20000
        File size:232960 bytes
        MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:00:13:48
        Start date:15/01/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0x4
        Imagebase:0x7ff642e80000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        General

        Start time:00:13:48
        Start date:15/01/2020
        Path:C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe
        Wow64 process (32bit):true
        Commandline:'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\primefaces-7.0.11.jar'
        Imagebase:0x10f0000
        File size:191944 bytes
        MD5 hash:6871F6B74CA631B95B6CE1DEEFB487E7
        Has administrator privileges:true
        Programmed in:Java
        Reputation:high

        General

        Start time:00:13:52
        Start date:15/01/2020
        Path:C:\Windows\SysWOW64\icacls.exe
        Wow64 process (32bit):true
        Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
        Imagebase:0xfa0000
        File size:29696 bytes
        MD5 hash:FF0D1D4317A44C951240FAE75075D501
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:moderate

        General

        Start time:00:13:52
        Start date:15/01/2020
        Path:C:\Windows\System32\conhost.exe
        Wow64 process (32bit):false
        Commandline:C:\Windows\system32\conhost.exe 0x4
        Imagebase:0x7ff642e80000
        File size:625664 bytes
        MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
        Has administrator privileges:true
        Programmed in:C, C++ or other language
        Reputation:high

        Disassembly

        Code Analysis

        Reset < >