Loading ...

Play interactive tourEdit tour

Analysis Report FedEx 320002127812100.jar

Overview

General Information

Sample Name:FedEx 320002127812100.jar
Analysis ID:399486
MD5:aafce6f10774bbc2344ce88ab51e1cfb
SHA1:9224d16b2ad7d54c0b6a9a05ff24d911d118d711
SHA256:b63a342fa88add92fbe34e707de613c1494f08debb6ab0e4dad851b4039dc6e4
Tags:FedExjar
Infos:

Most interesting Screenshot:

Detection

STRRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Found malware configuration
Sigma detected: Get antivirus details via WMIC query
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected STRRAT
Creates autostart registry keys to launch java
Exploit detected, runtime environment dropped PE file
Exploit detected, runtime environment starts unknown processes
May check the online IP address of the machine
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Uses dynamic DNS services
Uses schtasks.exe or at.exe to add and modify task schedules
Yara detected AllatoriJARObfuscator
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Creates a process in suspended mode (likely to inject code)
Creates a start menu entry (Start Menu\Programs\Startup)
Detected TCP or UDP traffic on non-standard ports
Drops PE files
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
JA3 SSL client fingerprint seen in connection with other malware
Java Jar is obfuscated using Allatori
Launches a Java Jar file from a suspicious file location
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Stores files to the Windows start menu directory
Uses a known web browser user agent for HTTP communication
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6956 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\FedEx 320002127812100.jar'' >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 7012 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\FedEx 320002127812100.jar' MD5: 28733BA8C383E865338638DF5196E6FE)
      • icacls.exe (PID: 7080 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 7116 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • java.exe (PID: 6452 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\FedEx 320002127812100.jar' MD5: 28733BA8C383E865338638DF5196E6FE)
        • conhost.exe (PID: 2388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • cmd.exe (PID: 6824 cmdline: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar' MD5: F3BDBE3BB6F734E357235F4D5898582D)
          • conhost.exe (PID: 4768 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • schtasks.exe (PID: 6616 cmdline: schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar' MD5: 15FF7D8324231381BAD48A052F85DF04)
        • java.exe (PID: 5908 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar' MD5: 28733BA8C383E865338638DF5196E6FE)
          • conhost.exe (PID: 6920 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 5992 cmdline: cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 404 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • WMIC.exe (PID: 740 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
          • cmd.exe (PID: 3480 cmdline: cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 2928 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • WMIC.exe (PID: 1620 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
          • cmd.exe (PID: 7072 cmdline: cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 7112 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • WMIC.exe (PID: 6028 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
          • cmd.exe (PID: 4864 cmdline: cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list' MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6796 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • WMIC.exe (PID: 4244 cmdline: wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
  • javaw.exe (PID: 3980 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar' MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
  • javaw.exe (PID: 6344 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar' MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
  • javaw.exe (PID: 5956 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar' MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
  • cleanup

Malware Configuration

Threatname: STRRAT

{"C2 list": "severdops.ddns.net:3318", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "severdops.ddns.net:3318", "lid": "P2AP-K06V-U430-8310-7K76"}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\cmdlinestart.logJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpJoeSecurity_STRRATYara detected STRRATJoe Security
      00000009.00000002.702470688.0000000005246000.00000004.00000001.sdmpJoeSecurity_STRRATYara detected STRRATJoe Security
        0000000D.00000002.913867172.0000000009D9D000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
          0000001C.00000002.913656098.0000000009BA2000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
            0000001C.00000002.913511495.0000000009B68000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
              Click to see the 13 entries

              Sigma Overview

              System Summary:

              barindex
              Sigma detected: Get antivirus details via WMIC queryShow sources
              Source: Process startedAuthor: Joe Security: Data: Command: cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list', CommandLine: cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list', CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\cmd.exe, NewProcessName: C:\Windows\SysWOW64\cmd.exe, OriginalFileName: C:\Windows\SysWOW64\cmd.exe, ParentCommandLine: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar', ParentImage: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe, ParentProcessId: 5908, ProcessCommandLine: cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list', ProcessId: 4864

              Signature Overview

              Click to jump to signature section

              Show All Signature Results

              AV Detection:

              barindex
              Found malware configurationShow sources
              Source: java.exe.5908.13.memstrMalware Configuration Extractor: STRRAT {"C2 list": "severdops.ddns.net:3318", "url": "http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5", "Proxy": "severdops.ddns.net:3318", "lid": "P2AP-K06V-U430-8310-7K76"}
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior
              Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.111.154:443 -> 192.168.2.4:49745 version: TLS 1.2

              Software Vulnerabilities:

              barindex
              Exploit detected, runtime environment starts unknown processesShow sources
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\System32\conhost.exe

              Networking:

              barindex
              Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
              Source: TrafficSnort IDS: 2030358 ET TROJAN STRRAT CnC Checkin 192.168.2.4:49754 -> 103.151.123.132:3318
              May check the online IP address of the machineShow sources
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeDNS query: name: ip-api.com
              Uses dynamic DNS servicesShow sources
              Source: unknownDNS query: name: severdops.ddns.net
              Source: global trafficTCP traffic: 192.168.2.4:49751 -> 103.151.123.132:3318
              Source: Joe Sandbox ViewIP Address: 208.95.112.1 208.95.112.1
              Source: Joe Sandbox ViewASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
              Source: Joe Sandbox ViewJA3 fingerprint: d2935c58fe676744fecc8614ee5356c7
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Connection: close
              Source: global trafficHTTP traffic detected: GET /json/ HTTP/1.1Host: ip-api.comUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/73.0.3683.86 Safari/537.36Connection: close
              Source: unknownDNS traffic detected: queries for: repo1.maven.org
              Source: java.exe, 00000009.00000002.701977101.0000000004E71000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.913840046.0000000009D95000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt
              Source: java.exe, 00000002.00000002.689982064.000000000A5D5000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
              Source: java.exe, 00000002.00000002.689982064.000000000A5D5000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt0
              Source: java.exe, 00000002.00000002.688804292.0000000005090000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
              Source: java.exe, 00000002.00000002.688750608.000000000504F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt;j
              Source: java.exe, 00000002.00000002.688771712.0000000005073000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtk.
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtkh
              Source: java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crty0
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
              Source: java.exe, 00000002.00000002.688836181.00000000050B0000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
              Source: java.exe, 00000002.00000002.689372539.000000000A3CC000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
              Source: java.exe, 00000002.00000002.689372539.000000000A3CC000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl
              Source: java.exe, 00000002.00000002.688836181.00000000050B0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl
              Source: java.exe, 00000002.00000002.689982064.000000000A5D5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl00
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
              Source: java.exe, 00000002.00000002.689982064.000000000A5D5000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl0Q
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688771712.0000000005073000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl
              Source: java.exe, 00000002.00000002.688750608.000000000504F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crlC
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crlcS
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl
              Source: java.exe, 00000002.00000002.688836181.00000000050B0000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl
              Source: java.exe, 00000002.00000002.688836181.00000000050B0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
              Source: java.exe, 00000002.00000002.688935623.000000000511F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl;
              Source: java.exe, 00000002.00000002.688935623.000000000511F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crlK5b
              Source: java.exe, 00000002.00000002.688935623.000000000511F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crlS
              Source: java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
              Source: java.exe, 00000002.00000002.688771712.0000000005073000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl#
              Source: java.exe, 00000002.00000002.688750608.000000000504F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
              Source: java.exe, 00000002.00000002.688771712.0000000005073000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crlC
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crlCR
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
              Source: java.exe, 00000002.00000002.689982064.000000000A5D5000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl0
              Source: java.exe, 00000002.00000002.688804292.0000000005090000.00000004.00000001.sdmp, java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl
              Source: java.exe, 00000002.00000002.688750608.000000000504F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlS
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crls0
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl
              Source: java.exe, 00000002.00000002.688836181.00000000050B0000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
              Source: java.exe, 00000002.00000002.689022466.000000000A1D5000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702672659.000000000A3A0000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.913882768.0000000009D9F000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
              Source: java.exe, 0000000D.00000002.913275754.0000000004CCC000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.912467734.0000000004A47000.00000004.00000001.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=510
              Source: java.exe, 00000009.00000002.702154595.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5k
              Source: java.exe, 00000002.00000003.675088349.0000000015380000.00000004.00000001.sdmp, java.exe, 00000002.00000003.675154069.00000000159AD000.00000004.00000001.sdmp, java.exe, 00000002.00000002.689372539.000000000A3CC000.00000004.00000001.sdmp, java.exe, 00000009.00000002.705555762.000000001549C000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702762623.000000000A42C000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914320916.0000000009E2C000.00000004.00000001.sdmpString found in binary or memory: http://null.oracle.com/
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688771712.0000000005073000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com#
              Source: java.exe, 00000002.00000002.688836181.00000000050B0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
              Source: java.exe, 00000002.00000002.688836181.00000000050B0000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0F
              Source: java.exe, 00000002.00000002.689982064.000000000A5D5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
              Source: java.exe, 00000002.00000002.688750608.000000000504F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
              Source: java.exe, 00000002.00000002.688750608.000000000504F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0M
              Source: java.exe, 00000002.00000002.689982064.000000000A5D5000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0Z
              Source: java.exe, 00000002.00000002.688935623.000000000511F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com3
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com3h
              Source: java.exe, 00000002.00000002.688771712.0000000005073000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com;
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comCO
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comS:
              Source: java.exe, 00000002.00000002.688935623.000000000511F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comk
              Source: java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comy0
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com
              Source: java.exe, 00000009.00000002.702536452.00000000052CB000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com#
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com0
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
              Source: java.exe, 00000009.00000002.702536452.00000000052CB000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crlS
              Source: java.exe, 00000002.00000002.689012870.000000000A1C4000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702629616.000000000A367000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.913867172.0000000009D9D000.00000004.00000001.sdmpString found in binary or memory: http://www.allatori.com
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/
              Source: javaw.exeString found in binary or memory: http://www.apache.org/licenses/LICEN
              Source: java.exe, 00000009.00000002.705601051.0000000015505000.00000004.00000001.sdmp, java.exe, 0000000D.00000003.878699087.0000000014EA5000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.txt
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS
              Source: java.exe, 00000002.00000002.689982064.000000000A5D5000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
              Source: java.exe, 00000009.00000002.702536452.00000000052CB000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps;
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmp, java.exe, 00000002.00000002.690546365.000000000A678000.00000004.00000001.sdmpString found in binary or memory: https://api.github.com/_private/browser/errors
              Source: java.exe, 00000002.00000002.690058654.000000000A60D000.00000004.00000001.sdmp, java.exe, 00000002.00000002.690546365.000000000A678000.00000004.00000001.sdmpString found in binary or memory: https://github-releases.githubusercontent.com/51361554/623ef000-9da4-11e9-9ea2-d90155318994?X-Amz-Al
              Source: java.exe, 00000002.00000002.685814355.0000000004D95000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702470688.0000000005246000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702154595.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar1
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar1H
              Source: java.exe, 00000009.00000002.702154595.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jarK
              Source: java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
              Source: java.exe, 00000009.00000002.702536452.00000000052CB000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com#
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702872981.000000000A524000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.914909862.0000000009F25000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
              Source: java.exe, 00000002.00000002.685814355.0000000004D95000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702470688.0000000005246000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702154595.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar10
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar1H
              Source: java.exe, 00000002.00000002.685814355.0000000004D95000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702470688.0000000005246000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702154595.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar10
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar1H
              Source: java.exe, 00000009.00000002.702154595.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jarC=%
              Source: java.exe, 00000002.00000002.685690256.0000000004D48000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702470688.0000000005246000.00000004.00000001.sdmp, java.exe, 00000009.00000002.702154595.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar10
              Source: java.exe, 00000002.00000002.689545566.000000000A480000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar1H
              Source: java.exe, 00000009.00000002.702154595.0000000004FE5000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jars=%
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688935623.000000000511F000.00000004.00000001.sdmp, java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS
              Source: java.exe, 00000002.00000002.688836181.00000000050B0000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
              Source: java.exe, 00000002.00000002.688935623.000000000511F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS;
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS;l
              Source: java.exe, 00000002.00000002.688771712.0000000005073000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSC/
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSCi
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSKz
              Source: java.exe, 00000002.00000002.688771712.0000000005073000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSc
              Source: java.exe, 00000002.00000002.688875087.00000000050EE000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSkL
              Source: java.exe, 00000002.00000002.690636067.000000000A689000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSyx
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49742
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49741
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
              Source: unknownNetwork traffic detected: HTTP traffic on port 49741 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49742 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 49745 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
              Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
              Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49745
              Source: unknownHTTPS traffic detected: 140.82.121.3:443 -> 192.168.2.4:49740 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49739 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49741 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.4:49742 version: TLS 1.2
              Source: unknownHTTPS traffic detected: 185.199.111.154:443 -> 192.168.2.4:49745 version: TLS 1.2

              System Summary:

              barindex
              Source: classification engineClassification label: mal100.troj.expl.evad.winJAR@41/22@5/6
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\3318lock.fileJump to behavior
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6968:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:404:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7116:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2388:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2928:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6920:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7112:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6796:120:WilError_01
              Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4768:120:WilError_01
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dllJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
              Source: java.exeString found in binary or memory: sun/launcher/
              Source: java.exeString found in binary or memory: gp1.in-addr.arpa
              Source: java.exeString found in binary or memory: -ADDR_TYPE_NOT_SUP
              Source: javaw.exeString found in binary or memory: .in-addr.arpa
              Source: javaw.exeString found in binary or memory: .in-addr.arpa
              Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\FedEx 320002127812100.jar'' >> C:\cmdlinestart.log 2>&1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\FedEx 320002127812100.jar'
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
              Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\FedEx 320002127812100.jar'
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'
              Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
              Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\FedEx 320002127812100.jar' Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\FedEx 320002127812100.jar'Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list'Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list'Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list'Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list'Jump to behavior
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dllJump to behavior

              Data Obfuscation:

              barindex
              Yara detected AllatoriJARObfuscatorShow sources
              Source: Yara matchFile source: 0000000D.00000002.913867172.0000000009D9D000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.913656098.0000000009BA2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000001C.00000002.913511495.0000000009B68000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.702629616.000000000A367000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.913166083.000000000A39E000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000009.00000002.702668221.000000000A39E000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 0000000D.00000002.913715611.0000000009D66000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.689012870.000000000A1C4000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.913206282.0000000009B67000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000002.00000002.689004791.000000000A1B2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000024.00000002.913043481.000000000A367000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: 00000014.00000002.913353859.0000000009BA2000.00000004.00000001.sdmp, type: MEMORY
              Source: Yara matchFile source: Process Memory Space: java.exe PID: 5908, type: MEMORY
              Source: Yara matchFile source: C:\cmdlinestart.log, type: DROPPED
              Source: Java tracingExecutes: java.io.Writer.write(java.lang.String) on Obfuscation by Allatori Obfuscator v7.3 DEMO ## ## http://www.allatori.com
              Source: Java tracingExecutes: java.lang.ProcessBuilder(java.lang.String[]) on "c:\program files (x86)\java\jre1.8.0_211\bin\java.exe" -jar "c:\users\user\fedex 320002127812100.jar"
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_3_1537CB3E pushad ; retf 2_3_1537CB55
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_3_1537CB1C pushad ; retf 2_3_1537CB3D
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B0CAB2 pushad ; retf 9_3_15B0CAB9
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B0CABA push eax; retf 9_3_15B0CABD
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B0CB16 push eax; retf 9_3_15B0CB21
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B0B7E2 push E015B0B8h; iretd 9_3_15B0B7F9
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B0C965 pushad ; retf 9_3_15B0C9CD
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B4D9AF push eax; retf 9_3_15B4D9B1
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B46330 push cs; retn 0013h9_3_15B46354
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B47B14 push es; iretd 9_3_15B47B4A
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B4CA6E push eax; retf 9_3_15B4CA79
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15B4CA51 pushad ; retf 9_3_15B4CA55
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_1554CF51 push dword ptr [ebx]; ret 9_3_1554CF55
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_1554B1E2 push esi; ret 9_3_1554B1E5
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_1554403C push es; retn 0024h9_3_1554403F
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 9_3_15544A86 push 0015AEC2h; ret 9_3_15544B6D
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C823CB push edi; retf 20_3_14C824D6
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C828CB push edi; retf 20_3_14C828D6
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C827CF push edi; retf 20_3_14C827D2
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C82DCF push edi; retf 20_3_14C82DD2
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C8A3CF push es; retf 20_3_14C8A3DE
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C8C0C3 push ds; iretd 20_3_14C8C0C6
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C825D8 push edi; retf 20_3_14C825DE
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C826DB push edi; retf 20_3_14C826DE
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C82DDB push edi; retf 20_3_14C82ED6
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C825DF push edi; retf 20_3_14C825E2
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C826DF push edi; retf 20_3_14C826E2
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C8A3DF push es; retf 20_3_14C8A3E2
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C826D3 push edi; retf 20_3_14C826D6
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C827D3 push edi; retf 20_3_14C827D6
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 20_3_14C82DD3 push edi; retf 20_3_14C82DD6

              Persistence and Installation Behavior:

              barindex
              Exploit detected, runtime environment dropped PE fileShow sources
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: jna1092355263286758382.dll.9.drJump to dropped file
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\jna-101308983\jna8778142523633113696.dllJump to dropped file
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\jna-101308983\jna1092355263286758382.dllJump to dropped file

              Boot Survival:

              barindex
              Creates autostart registry keys to launch javaShow sources
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run FedEx 320002127812100 "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar"Jump to behavior
              Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
              Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\FedEx 320002127812100.jar'
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FedEx 320002127812100.jarJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\FedEx 320002127812100.jarJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\FedEx 320002127812100.jarJump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FedEx 320002127812100Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run FedEx 320002127812100Jump to behavior
              Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

              Malware Analysis System Evasion:

              barindex
              Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
              Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT VolumeSerialNumber FROM win32_logicaldisk
              Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
              Source: java.exe, 00000002.00000002.694518042.0000000015500000.00000002.00000001.sdmp, java.exe, 00000009.00000002.705709987.0000000015700000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.918738649.00000000150A0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
              Source: java.exe, 00000002.00000002.682138363.0000000002AE0000.00000004.00000001.sdmp, java.exe, 00000009.00000002.701641846.0000000002CD0000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.910816554.0000000002690000.00000004.00000001.sdmpBinary or memory string: ,java/lang/VirtualMachineError
              Source: java.exe, 00000002.00000002.682138363.0000000002AE0000.00000004.00000001.sdmp, java.exe, 00000009.00000002.701641846.0000000002CD0000.00000004.00000001.sdmp, java.exe, 0000000D.00000002.910816554.0000000002690000.00000004.00000001.sdmpBinary or memory string: |[Ljava/lang/VirtualMachineError;
              Source: java.exe, 00000002.00000002.694518042.0000000015500000.00000002.00000001.sdmp, java.exe, 00000009.00000002.705709987.0000000015700000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.918738649.00000000150A0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
              Source: java.exe, 00000002.00000002.694518042.0000000015500000.00000002.00000001.sdmp, java.exe, 00000009.00000002.705709987.0000000015700000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.918738649.00000000150A0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
              Source: java.exe, 00000002.00000002.694518042.0000000015500000.00000002.00000001.sdmp, java.exe, 00000009.00000002.705709987.0000000015700000.00000002.00000001.sdmp, java.exe, 0000000D.00000002.918738649.00000000150A0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.