Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Windows Analysis Report https://siasky.net/7ABRkLTFgZ48zpBZeW_J887EdSgtCgPQ0fhHk7W5YNlKaQ

Overview

General Information

Sample URL:https://siasky.net/7ABRkLTFgZ48zpBZeW_J887EdSgtCgPQ0fhHk7W5YNlKaQ
Analysis ID:472610
Infos:

Most interesting Screenshot:

Detection

STRRAT
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Yara detected STRRAT
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
System process connects to network (likely due to code injection or exploit)
Multi AV Scanner detection for domain / URL
Sigma detected: Drops script at startup location
Creates multiple autostart registry keys
Sigma detected: Suspicious Script Execution From Temp Folder
Connects to many ports of the same IP (likely port scanning)
Exploit detected, runtime environment starts unknown processes
Exploit detected, runtime environment dropped PE file
Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)
Yara detected AllatoriJARObfuscator
Drops script or batch files to the startup folder
Sigma detected: WScript or CScript Dropper
Uses schtasks.exe or at.exe to add and modify task schedules
Uses dynamic DNS services
Queries the volume information (name, serial number etc) of a device
Yara signature match
May sleep (evasive loops) to hinder dynamic analysis
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Uses code obfuscation techniques (call, push, ret)
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution
Detected potential crypto function
Stores files to the Windows start menu directory
Contains long sleeps (>= 3 min)
Creates a DirectInput object (often for capturing keystrokes)
AV process strings found (often used to terminate AV products)
Found inlined nop instructions (likely shell or obfuscated code)
Drops PE files
Uses cacls to modify the permissions of files
Creates a start menu entry (Start Menu\Programs\Startup)
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Creates a process in suspended mode (likely to inject code)
Found WSH timer for Javascript or VBS script (likely evasive script)

Classification

Process Tree

  • System is w10x64
  • chrome.exe (PID: 6012 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://siasky.net/7ABRkLTFgZ48zpBZeW_J887EdSgtCgPQ0fhHk7W5YNlKaQ' MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 5576 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,9197552229311162938,1930134803161598115,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1728 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • chrome.exe (PID: 6528 cmdline: 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1548,9197552229311162938,1930134803161598115,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=5108 /prefetch:8 MD5: C139654B5C1438A95B321BB01AD63EF6)
    • unarchiver.exe (PID: 6760 cmdline: 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\Wupos_receipts_jpg.rar' MD5: DB55139D9DD29F24AE8EA8F0E5606901)
      • 7za.exe (PID: 6984 cmdline: 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0' 'C:\Users\user\Downloads\Wupos_receipts_jpg.rar' MD5: 77E556CDFDC5C592F5C46DB4127C6F4C)
        • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6452 cmdline: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6472 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • wscript.exe (PID: 6588 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • wscript.exe (PID: 6592 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\StbzgazmPv.js' MD5: 7075DD7B9BE8807FCA93ACD86F724884)
          • javaw.exe (PID: 6664 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\kneblehwpu.txt' MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
            • icacls.exe (PID: 6892 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
              • conhost.exe (PID: 4456 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • java.exe (PID: 6992 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\kneblehwpu.txt' MD5: 28733BA8C383E865338638DF5196E6FE)
              • conhost.exe (PID: 6308 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • cmd.exe (PID: 6452 cmdline: cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\kneblehwpu.txt' MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • java.exe (PID: 3580 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\kneblehwpu.txt' MD5: 28733BA8C383E865338638DF5196E6FE)
                • conhost.exe (PID: 6428 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                • cmd.exe (PID: 1760 cmdline: cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list' MD5: F3BDBE3BB6F734E357235F4D5898582D)
                  • conhost.exe (PID: 7096 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                  • WMIC.exe (PID: 6136 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
                • cmd.exe (PID: 3216 cmdline: cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list' MD5: F3BDBE3BB6F734E357235F4D5898582D)
                  • conhost.exe (PID: 6596 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                  • WMIC.exe (PID: 3776 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
                • cmd.exe (PID: 6016 cmdline: cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list' MD5: F3BDBE3BB6F734E357235F4D5898582D)
                  • conhost.exe (PID: 7076 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
                  • WMIC.exe (PID: 6660 cmdline: wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
                • cmd.exe (PID: 4824 cmdline: cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list' MD5: F3BDBE3BB6F734E357235F4D5898582D)
                  • conhost.exe (PID: 4908 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • conhost.exe (PID: 6800 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
        • schtasks.exe (PID: 7136 cmdline: schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\kneblehwpu.txt' MD5: 15FF7D8324231381BAD48A052F85DF04)
  • wscript.exe (PID: 6924 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\StbzgazmPv.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • wscript.exe (PID: 4920 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\StbzgazmPv.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • notepad.exe (PID: 3376 cmdline: C:\Windows\system32\NOTEPAD.EXE C:\Users\user\AppData\Roaming\kneblehwpu.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • wscript.exe (PID: 6276 cmdline: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.js' MD5: 9A68ADD12EB50DDE7586782C3EB9FF9C)
  • notepad.exe (PID: 3436 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\kneblehwpu.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • notepad.exe (PID: 412 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\kneblehwpu.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • notepad.exe (PID: 4720 cmdline: 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\kneblehwpu.txt MD5: BB9A06B8F2DD9D24C77F389D7B2B58D2)
  • cleanup

Malware Configuration

No configs have been found

Yara Overview

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000000C.00000002.264462300.0000000009DA0000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
    00000015.00000002.599611163.00000254C4C99000.00000004.00000020.sdmpwebshell_asp_genericGeneric ASP webshell which uses any eval/exec function indirectly on user input or writes a fileArnim Rupp
    • 0x5206:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
    • 0x5396:$tagasp_classid1: 72C24DD5-D70A-438B-8A42-98424B88AFB8
    • 0x3096:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x3226:$tagasp_classid5: 0D43FE01-F093-11CF-8940-00A0C9054228
    • 0x35ce:$asp_xml_http: Microsoft.XMLHTTP
    • 0x4544:$asp_xml_method2: POST
    • 0x3cfa:$asp_payload2: eval(
    • 0x4278:$asp_payload2: eval(
    • 0x354c:$asp_payload11: WScript.Shell
    • 0x3cae:$asp_multi_payload_one3: .run
    • 0x3ec6:$asp_multi_payload_one3: .run
    • 0x40a6:$asp_multi_payload_one3: .run
    • 0x43bc:$asp_multi_payload_one3: .run
    • 0x1f5c:$asp_always_write1: .Write
    • 0x3c72:$asp_always_write1: .Write
    • 0x3e8e:$asp_always_write1: .Write
    • 0x406c:$asp_always_write1: .Write
    • 0x4380:$asp_always_write1: .Write
    • 0x3c3a:$asp_write_way_one3: CreateTextFile
    • 0x3fd4:$asp_write_way_one3: CreateTextFile
    • 0x4348:$asp_write_way_one3: CreateTextFile
    00000012.00000002.285708044.000000000A3A6000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
      0000000C.00000002.264431350.0000000009D68000.00000004.00000001.sdmpJoeSecurity_Allatori_JAR_ObfuscatorYara detected Allatori_JAR_ObfuscatorJoe Security
        00000012.00000002.285434877.000000000523A000.00000004.00000001.sdmpJoeSecurity_STRRATYara detected STRRATJoe Security
          Click to see the 7 entries

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Suspicious Script Execution From Temp FolderShow sources
          Source: Process startedAuthor: Florian Roth, Max Altgelt: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6452, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , ProcessId: 6588
          Sigma detected: WScript or CScript DropperShow sources
          Source: Process startedAuthor: Margaritis Dimitrios (idea), Florian Roth (rule), oscd.community: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6452, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , ProcessId: 6588
          Sigma detected: WSF/JSE/JS/VBA/VBE File ExecutionShow sources
          Source: Process startedAuthor: Michael Haag: Data: Command: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , CommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , CommandLine|base64offset|contains: , Image: C:\Windows\SysWOW64\wscript.exe, NewProcessName: C:\Windows\SysWOW64\wscript.exe, OriginalFileName: C:\Windows\SysWOW64\wscript.exe, ParentCommandLine: 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js', ParentImage: C:\Windows\SysWOW64\cmd.exe, ParentProcessId: 6452, ProcessCommandLine: 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' , ProcessId: 6588

          Data Obfuscation:

          barindex
          Sigma detected: Drops script at startup locationShow sources
          Source: File createdAuthor: Joe Security: Data: EventID: 11, Image: C:\Windows\SysWOW64\wscript.exe, ProcessId: 6592, TargetFilename: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.js

          Jbx Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Multi AV Scanner detection for domain / URLShow sources
          Source: javaslinns.duia.roVirustotal: Detection: 5%Perma Link
          Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49737 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49738 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49736 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.110.154:443 -> 192.168.2.3:49740 version: TLS 1.2
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior

          Software Vulnerabilities:

          barindex
          Exploit detected, runtime environment starts unknown processesShow sources
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\System32\conhost.exe
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04E1099Bh4_2_04E102A8
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4x nop then jmp 04E1099Ah4_2_04E102A8

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2030358 ET TROJAN STRRAT CnC Checkin 192.168.2.3:49751 -> 144.168.231.6:7777
          Connects to many ports of the same IP (likely port scanning)Show sources
          Source: global trafficTCP traffic: 79.134.225.10 ports 62104,0,1,2,4,6
          Uses dynamic DNS servicesShow sources
          Source: unknownDNS query: name: divineconnect.ddns.net
          Source: unknownNetwork traffic detected: HTTP traffic on port 49708 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49706 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49705 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49740
          Source: unknownNetwork traffic detected: HTTP traffic on port 49704 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49740 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49708
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49706
          Source: unknownNetwork traffic detected: HTTP traffic on port 49716 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49739
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49705
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49716
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49738
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49704
          Source: unknownNetwork traffic detected: HTTP traffic on port 49736 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49737
          Source: unknownNetwork traffic detected: HTTP traffic on port 443 -> 49736
          Source: unknownNetwork traffic detected: HTTP traffic on port 49737 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49738 -> 443
          Source: unknownNetwork traffic detected: HTTP traffic on port 49739 -> 443
          Source: javaw.exe, 0000000C.00000002.264456629.0000000009D98000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285701763.000000000A39F000.00000004.00000001.sdmp, java.exe, 00000012.00000002.284991807.0000000004E65000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
          Source: javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crt0K
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceEVRootCA.crtKy
          Source: javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crt0
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crt0
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtA0
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtE
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2HighAssuranceServerCA.crtS
          Source: javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt
          Source: javaw.exe, 0000000C.00000002.265997954.000000000A074000.00000004.00000001.sdmpString found in binary or memory: http://cacerts.digicert.com/DigiCertSHA2SecureServerCA.crt0
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl
          Source: javaw.exe, 0000000C.00000002.265319796.000000000A024000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertGlobalRootCA.crl07
          Source: javaw.exe, 0000000C.00000003.257284716.00000000154F8000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHiM06
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceEVRootCA.crl00
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl0Q
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl04
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crl3
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/sha2-ha-server-g6.crlA0
          Source: javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl
          Source: javaw.exe, 0000000C.00000002.265997954.000000000A074000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crl0/
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://crl3.digicert.com/ssca-sha2-g6.crlk
          Source: javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl
          Source: javaw.exe, 0000000C.00000002.265319796.000000000A024000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crl0=
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertGlobalRootCA.crlK
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl%
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crl0=
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crlE
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceEVRootCA.crlKu
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/DigiCertHighAssuranceTLSHybridECCSHA2562020CA1.crl0
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crl0L
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlC
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlE
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/sha2-ha-server-g6.crlK
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl
          Source: javaw.exe, 0000000C.00000002.265997954.000000000A074000.00000004.00000001.sdmpString found in binary or memory: http://crl4.digicert.com/ssca-sha2-g6.crl0L
          Source: javaw.exe, 0000000C.00000002.264466132.0000000009DA2000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285714823.000000000A3A8000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
          Source: wscript.exe, 00000010.00000002.638607862.000001623A70B000.00000004.00000020.sdmpString found in binary or memory: http://javaslinns.duia.ro/
          Source: wscript.exe, 0000000B.00000002.613713768.0000000003133000.00000004.00000001.sdmp, wscript.exe, 00000010.00000002.561889732.0000005C126F1000.00000004.00000001.sdmp, wscript.exe, 00000015.00000002.599611163.00000254C4C99000.00000004.00000020.sdmp, wscript.exe, 00000015.00000002.600155035.00000254C69E6000.00000004.00000001.sdmp, wscript.exe, 00000015.00000002.600199610.00000254C6A00000.00000004.00000001.sdmp, wscript.exe, 00000023.00000002.645294735.000001C5E7590000.00000004.00000020.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/
          Source: wscript.exe, 00000015.00000002.600199610.00000254C6A00000.00000004.00000001.sdmp, wscript.exe, 00000015.00000002.599771263.00000254C4EA5000.00000004.00000040.sdmp, wscript.exe, 00000023.00000002.645294735.000001C5E7590000.00000004.00000020.sdmp, wscript.exe, 00000023.00000002.561886837.00000043EEEF1000.00000004.00000001.sdmp, wscript.exe, 00000023.00000002.661480568.000001C5E7705000.00000004.00000040.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/Vre
          Source: wscript.exe, 00000015.00000002.600236703.00000254C6AB0000.00000004.00000040.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/Vre%
          Source: wscript.exe, 00000015.00000002.600392673.00000254C7180000.00000004.00000001.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/VreD
          Source: wscript.exe, 00000023.00000002.645294735.000001C5E7590000.00000004.00000020.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/VreJI
          Source: wscript.exe, 00000015.00000002.600737229.00000254C71F8000.00000004.00000001.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/VreM
          Source: wscript.exe, 00000023.00000002.645294735.000001C5E7590000.00000004.00000020.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/VreRI
          Source: wscript.exe, 00000015.00000002.600236703.00000254C6AB0000.00000004.00000040.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/Vreator(s);
          Source: wscript.exe, 00000015.00000002.599521200.00000254C4C53000.00000004.00000020.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/Vreoftows
          Source: wscript.exe, 00000010.00000002.643507536.000001623A751000.00000004.00000020.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/Vreoftows43EC24n
          Source: wscript.exe, 00000023.00000002.645294735.000001C5E7590000.00000004.00000020.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/Vreoftowsini
          Source: wscript.exe, 00000015.00000002.600392673.00000254C7180000.00000004.00000001.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/Vret
          Source: wscript.exe, 00000015.00000002.600392673.00000254C7180000.00000004.00000001.sdmpString found in binary or memory: http://javaslinns.duia.ro:62104/Vrey
          Source: java.exe, 00000012.00000002.285180549.0000000004FE2000.00000004.00000001.sdmpString found in binary or memory: http://jbfrost.live/strigoi/server/?hwid=1&lid=m&ht=5
          Source: java.exeString found in binary or memory: http://null.oracle.com/
          Source: javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com#
          Source: javaw.exe, 0000000C.00000002.265319796.000000000A024000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0
          Source: javaw.exe, 0000000C.00000002.265997954.000000000A074000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0F
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0I
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0K
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0M
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com0Z
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.com;
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comA0
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comE
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://ocsp.digicert.comks
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com0
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
          Source: java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/;Z
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
          Source: wscript.exe, 0000000A.00000003.238440069.0000000006A73000.00000004.00000001.sdmpString found in binary or memory: http://wshsoft.company/jre7.zip
          Source: javaw.exe, 0000000C.00000002.264462300.0000000009DA0000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285708044.000000000A3A6000.00000004.00000001.sdmpString found in binary or memory: http://www.allatori.com
          Source: javaw.exe, 0000000C.00000002.266340460.000000000A0CC000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/
          Source: java.exeString found in binary or memory: http://www.apache.org/licenses/LICEN
          Source: java.exe, 00000012.00000002.288246843.00000000154A5000.00000004.00000001.sdmp, java.exe, 00000018.00000003.344475821.0000000014B84000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.txt
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
          Source: java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl;
          Source: javaw.exe, 0000000C.00000002.266340460.000000000A0CC000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
          Source: javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPS0
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: http://www.digicert.com/CPSK
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
          Source: javaw.exe, 0000000C.00000002.266547372.000000000A107000.00000004.00000001.sdmpString found in binary or memory: https://api.github.com/_private/browser/errors
          Source: javaw.exe, 0000000C.00000002.266547372.000000000A107000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.265997954.000000000A074000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.264311764.0000000004CAC000.00000004.00000001.sdmpString found in binary or memory: https://github-releases.githubusercontent.com/51361554/623ef000-9da4-11e9-9ea2-d90155318994?X-Amz-Al
          Source: javaw.exe, 0000000C.00000002.264420850.0000000009D50000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.264431350.0000000009D68000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285640037.000000000A350000.00000004.00000001.sdmpString found in binary or memory: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar
          Source: wscript.exe, 00000015.00000002.600737229.00000254C71F8000.00000004.00000001.sdmpString found in binary or memory: https://login.live.comBB
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285970062.000000000A523000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
          Source: javaw.exe, 0000000C.00000002.264662056.0000000009F24000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0
          Source: java.exe, 00000012.00000002.285574634.00000000052CF000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.comS
          Source: javaw.exe, 0000000C.00000002.264420850.0000000009D50000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285640037.000000000A350000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar
          Source: javaw.exe, 0000000C.00000002.264420850.0000000009D50000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285640037.000000000A350000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar
          Source: javaw.exe, 0000000C.00000002.263682741.0000000004810000.00000004.00000001.sdmp, javaw.exe, 0000000C.00000002.264420850.0000000009D50000.00000004.00000001.sdmp, java.exe, 00000012.00000002.285640037.000000000A350000.00000004.00000001.sdmpString found in binary or memory: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar
          Source: messages.json83.1.drString found in binary or memory: https://support.google.com/chromecast/answer/2998456
          Source: messages.json83.1.drString found in binary or memory: https://support.google.com/chromecast/troubleshooter/2995236
          Source: javaw.exe, 0000000C.00000002.266734963.000000000A12F000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS
          Source: javaw.exe, 0000000C.00000002.264331883.0000000004CBB000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS#
          Source: javaw.exe, 0000000C.00000002.265997954.000000000A074000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS0
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPS;
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSA0
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSE
          Source: javaw.exe, 0000000C.00000002.264260799.0000000004C69000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSk
          Source: javaw.exe, 0000000C.00000002.264355013.0000000004CE1000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSka
          Source: javaw.exe, 0000000C.00000002.264273106.0000000004C7E000.00000004.00000001.sdmpString found in binary or memory: https://www.digicert.com/CPSs
          Source: unknownDNS traffic detected: queries for: accounts.google.com
          Source: unknownHTTPS traffic detected: 140.82.121.4:443 -> 192.168.2.3:49739 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49737 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49738 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 199.232.192.209:443 -> 192.168.2.3:49736 version: TLS 1.2
          Source: unknownHTTPS traffic detected: 185.199.110.154:443 -> 192.168.2.3:49740 version: TLS 1.2
          Source: unarchiver.exe, 00000004.00000002.250103469.0000000000CBB000.00000004.00000020.sdmpBinary or memory string: <HOOK MODULE="DDRAW.DLL" FUNCTION="DirectDrawCreateEx"/>

          System Summary:

          barindex
          Source: 00000015.00000002.599611163.00000254C4C99000.00000004.00000020.sdmp, type: MEMORYMatched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
          Source: Process Memory Space: wscript.exe PID: 6924, type: MEMORYSTRMatched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
          Source: Process Memory Space: wscript.exe PID: 6276, type: MEMORYSTRMatched rule: webshell_asp_generic date = 2021/03/07, author = Arnim Rupp, description = Generic ASP webshell which uses any eval/exec function indirectly on user input or writes a file, license = Detection Rule License 1.1 https://github.com/Neo23x0/signature-base/blob/master/LICENSE, score = a8c63c418609c1c291b3e731ca85ded4b3e0fba83f3489c21a3199173b176a75
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_04E102A84_2_04E102A8
          Source: C:\Windows\SysWOW64\unarchiver.exeCode function: 4_2_04E102994_2_04E10299
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 18_3_1554315718_3_15543157
          Source: C:\Windows\SysWOW64\unarchiver.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
          Source: unknownProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --start-maximized --enable-automation 'https://siasky.net/7ABRkLTFgZ48zpBZeW_J887EdSgtCgPQ0fhHk7W5YNlKaQ'
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,9197552229311162938,1930134803161598115,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1728 /prefetch:8
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1548,9197552229311162938,1930134803161598115,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=5108 /prefetch:8
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\Wupos_receipts_jpg.rar'
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0' 'C:\Users\user\Downloads\Wupos_receipts_jpg.rar'
          Source: C:\Windows\SysWOW64\7za.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\StbzgazmPv.js'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
          Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\StbzgazmPv.js'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\kneblehwpu.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\StbzgazmPv.js'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: unknownProcess created: C:\Windows\System32\notepad.exe C:\Windows\system32\NOTEPAD.EXE C:\Users\user\AppData\Roaming\kneblehwpu.txt
          Source: unknownProcess created: C:\Windows\System32\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.js'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
          Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\kneblehwpu.txt
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list'
          Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\kneblehwpu.txt
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: unknownProcess created: C:\Windows\System32\notepad.exe 'C:\Windows\system32\NOTEPAD.EXE' C:\Users\user\AppData\Roaming\kneblehwpu.txt
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1548,9197552229311162938,1930134803161598115,131072 --lang=en-US --service-sandbox-type=network --enable-audio-service-sandbox --mojo-platform-channel-handle=1728 /prefetch:8Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Program Files\Google\Chrome\Application\chrome.exe 'C:\Program Files\Google\Chrome\Application\chrome.exe' --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1548,9197552229311162938,1930134803161598115,131072 --lang=en-US --service-sandbox-type=none --enable-audio-service-sandbox --mojo-platform-channel-handle=5108 /prefetch:8Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\unarchiver.exe 'C:\Windows\SysWOW64\unarchiver.exe' 'C:\Users\user\Downloads\Wupos_receipts_jpg.rar'Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0' 'C:\Users\user\Downloads\Wupos_receipts_jpg.rar'Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeProcess created: unknown unknownJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0' 'C:\Users\user\Downloads\Wupos_receipts_jpg.rar'Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\StbzgazmPv.js' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'Jump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\kneblehwpu.txt'Jump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32Jump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Google\Chrome\User Data\BrowserMetrics\BrowserMetrics-6128F4C7-177C.pmaJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Users\user\AppData\Local\Temp\4a11edb7-eeed-47c0-a888-dddfe863bb09.tmpJump to behavior
          Source: classification engineClassification label: mal100.troj.expl.evad.win@85/243@14/13
          Source: C:\Windows\SysWOW64\cmd.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\NativeImages_v2.0.50727_32\mscorlib\9603718106bd57ecfbb18fefd769cab4\mscorlib.ni.dllJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sorttbls.nlpJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeSection loaded: C:\Windows\assembly\GAC_32\mscorlib\2.0.0.0__b77a5c561934e089\sortkey.nlpJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6596:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7096:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7076:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6472:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6308:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6800:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4456:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6428:120:WilError_01
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeFile created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dllJump to behavior
          Source: javaw.exeString found in binary or memory: 9 Lsun/misc/Launcher$BootClassPathHolder$1
          Source: java.exeString found in binary or memory: K/addSuccessor
          Source: java.exeString found in binary or memory: ~.in-addr.arpa
          Source: java.exeString found in binary or memory: X/addPropertyChangeListener
          Source: java.exeString found in binary or memory: L.in-addr.arpa
          Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
          Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Windows\System32\wscript.exeFile read: C:\Windows\System32\drivers\etc\hosts
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\lib\i386\jvm.cfgJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeFile opened: C:\Windows\WinSxS\x86_microsoft.vc80.crt_1fc8b3b9a1e18e3b_8.0.50727.9445_none_d08c58b4442ba54f\MSVCR80.dllJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\DictionariesJump to behavior
          Source: C:\Program Files\Google\Chrome\Application\chrome.exeDirectory created: C:\Program Files\Google\Chrome\Application\Dictionaries\en-US-9-0.bdicJump to behavior

          Data Obfuscation:

          barindex
          Yara detected AllatoriJARObfuscatorShow sources
          Source: Yara matchFile source: 0000000C.00000002.264462300.0000000009DA0000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.285708044.000000000A3A6000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000C.00000002.264431350.0000000009D68000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.285662578.000000000A368000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 6664, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: java.exe PID: 6992, type: MEMORYSTR
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14CFE8D3 pushfd ; iretd 12_3_14CFE8DE
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D0304F push esi; iretd 12_3_14D03062
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14CFC1FC push 3014CFC2h; ret 12_3_14CFC201
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14CFFD85 push edi; iretd 12_3_14CFFD86
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D031B1 push ebp; iretd 12_3_14D031BA
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D031BB push ebp; iretd 12_3_14D031C2
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D03147 push ebp; iretd 12_3_14D0318A
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14CFFD53 push ebp; iretd 12_3_14CFFD56
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14CFFD63 push ebp; iretd 12_3_14CFFD66
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D03520 push edx; iretd 12_3_14D0352A
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14CFF6DF push edx; iretd 12_3_14CFF6EA
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14CFF6D3 push edx; iretd 12_3_14CFF6D6
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14CFDE8B push 691814CFh; iretd 12_3_14CFDEFA
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D02E21 push edi; iretd 12_3_14D02E22
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D033E7 push ebx; iretd 12_3_14D033EA
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D033EB push ebx; iretd 12_3_14D033F2
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D0378F push eax; iretd 12_3_14D0379A
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D02F44 push esi; iretd 12_3_14D0302A
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D0331C push ebx; iretd 12_3_14D033BA
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D00B08 push 3014CFC2h; ret 12_3_14D00B0D
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 12_3_14D0372D push eax; iretd 12_3_14D0376A
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 18_3_154AB82D push ds; retf 18_3_154AB82E
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 24_3_14BBCB28 push eax; retf 24_3_14BBCB2D

          Persistence and Installation Behavior:

          barindex
          Exploit detected, runtime environment dropped PE fileShow sources
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: jna451039507687099056.dll.18.drJump to dropped file
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\jna-99048687\jna451039507687099056.dllJump to dropped file
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\jna-99048687\jna5379228857879502981.dllJump to dropped file

          Boot Survival:

          barindex
          Creates multiple autostart registry keysShow sources
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kneblehwpu
          Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SEJOKAOI5S
          Drops script or batch files to the startup folderShow sources
          Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.js
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.js
          Source: C:\Windows\System32\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.jsJump to dropped file
          Uses schtasks.exe or at.exe to add and modify task schedulesShow sources
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.jsJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\kneblehwpu.txt
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\kneblehwpu.txt
          Source: C:\Windows\SysWOW64\wscript.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\StbzgazmPv.jsJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SEJOKAOI5SJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SEJOKAOI5SJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kneblehwpu
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run kneblehwpu
          Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SEJOKAOI5S
          Source: C:\Windows\System32\wscript.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SEJOKAOI5S
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
          Source: C:\Windows\SysWOW64\cmd.exeRegistry key monitored for changes: HKEY_CURRENT_USER_ClassesJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOXJump to behavior
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\System32\wscript.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes)Show sources
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\cimv2 : win32_logicaldisk
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT VolumeSerialNumber FROM win32_logicaldisk
          Source: C:\Windows\SysWOW64\unarchiver.exe TID: 6968Thread sleep time: -922337203685477s >= -30000sJump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-TimerJump to behavior
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\System32\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\SysWOW64\unarchiver.exeThread delayed: delay time: 922337203685477Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\userJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\MicrosoftJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppDataJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\Windows\Start Menu\desktop.iniJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\RoamingJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeFile opened: C:\Users\user\AppData\Roaming\Microsoft\WindowsJump to behavior
          Source: wscript.exe, 00000015.00000002.600392673.00000254C7180000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\=
          Source: java.exe, 00000018.00000003.286438063.0000000014A60000.00000004.00000001.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
          Source: java.exe, 00000018.00000003.286438063.0000000014A60000.00000004.00000001.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
          Source: javaw.exe, 0000000C.00000002.263391390.00000000024F0000.00000004.00000001.sdmp, java.exe, 00000012.00000002.284641443.0000000002C60000.00000004.00000001.sdmp, java.exe, 00000018.00000002.645712357.0000000000DD0000.00000004.00000001.sdmpBinary or memory string: ,java/lang/VirtualMachineError
          Source: javaw.exe, 0000000C.00000002.263391390.00000000024F0000.00000004.00000001.sdmp, java.exe, 00000012.00000002.284641443.0000000002C60000.00000004.00000001.sdmp, java.exe, 00000018.00000002.645712357.0000000000DD0000.00000004.00000001.sdmpBinary or memory string: |[Ljava/lang/VirtualMachineError;
          Source: java.exe, 00000018.00000003.286438063.0000000014A60000.00000004.00000001.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
          Source: wscript.exe, 00000015.00000002.600844648.00000254C7223000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW
          Source: java.exe, 00000018.00000003.286438063.0000000014A60000.00000004.00000001.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
          Source: java.exe, 00000012.00000002.284564500.000000000137B000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll{{6O
          Source: wscript.exe, 00000015.00000002.600392673.00000254C7180000.00000004.00000001.sdmpBinary or memory string: Hyper-V RAW@
          Source: javaw.exe, 0000000C.00000002.263283212.0000000000AF8000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll!
          Source: wscript.exe, 00000015.00000002.600392673.00000254C7180000.00000004.00000001.sdmpBinary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: java.exe, 00000018.00000002.622813344.00000000006CB000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllww
          Source: C:\Windows\SysWOW64\unarchiver.exeMemory allocated: page read and write | page guardJump to behavior

          HIPS / PFW / Operating System Protection Evasion:

          barindex
          System process connects to network (likely due to code injection or exploit)Show sources
          Source: C:\Windows\System32\wscript.exeDomain query: javaslinns.duia.ro
          Source: C:\Windows\System32\wscript.exeNetwork Connect: 79.134.225.10 152
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\7za.exe 'C:\Windows\System32\7za.exe' x -pinfected -y -o'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0' 'C:\Users\user\Downloads\Wupos_receipts_jpg.rar'Jump to behavior
          Source: C:\Windows\SysWOW64\unarchiver.exeProcess created: C:\Windows\SysWOW64\cmd.exe 'cmd.exe' /C 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js'Jump to behavior
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Local\Temp\qxxbrrak.4u0\Wupos_receipts_jpg.js' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\wscript.exe 'C:\Windows\System32\WScript.exe' 'C:\Users\user\AppData\Roaming\StbzgazmPv.js' Jump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'Jump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\kneblehwpu.txt'Jump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr 'C:\Users\user\AppData\Roaming\kneblehwpu.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c 'wmic /node:localhost /namespace:'\\root\securitycenter2' path antivirusproduct get displayname /format:list'
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_logicaldisk get volumeserialnumber /format:list
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get caption,OSArchitecture /format:list
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic /node:. /namespace:'\\root\cimv2' path win32_operatingsystem get version /format:list
          Source: C:\Windows\SysWOW64\cmd.exeQueries volume information: C:\ VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeQueries volume information: C:\Users\user\7777lock.file VolumeInformationJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeQueries volume information: C:\Users\user\7777lock.file VolumeInformation
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeQueries volume information: C:\Users\user\7777lock.file VolumeInformation
          Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\kneblehwpu.txt VolumeInformation
          Source: C:\Windows\System32\notepad.exeQueries volume information: C:\Users\user\AppData\Roaming\kneblehwpu.txt VolumeInformation
          Source: C:\Windows\SysWOW64\unarchiver.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\SysWOW64\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter : AntiVirusProduct
          Source: C:\Windows\System32\wscript.exeWMI Queries: IWbemServices::CreateInstanceEnum - root\securitycenter2 : AntiVirusProduct
          Source: wscript.exe, 00000015.00000002.600392673.00000254C7180000.00000004.00000001.sdmpBinary or memory string: r\MsMpeng.exe
          Source: wscript.exe, 00000010.00000002.625214256.000001623A6B8000.00000004.00000020.sdmp, wscript.exe, 00000015.00000002.600844648.00000254C7223000.00000004.00000001.sdmpBinary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe

          Stealing of Sensitive Information:

          barindex
          Yara detected STRRATShow sources
          Source: Yara matchFile source: 00000012.00000002.285434877.000000000523A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.285180549.0000000004FE2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: java.exe PID: 6992, type: MEMORYSTR

          Remote Access Functionality:

          barindex
          Yara detected STRRATShow sources
          Source: Yara matchFile source: 00000012.00000002.285434877.000000000523A000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: 00000012.00000002.285180549.0000000004FE2000.00000004.00000001.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: java.exe PID: 6992, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation11Startup Items1Startup Items1Masquerading3Input Capture1Query Registry1Remote ServicesInput Capture1Exfiltration Over Other Network MediumEncrypted Channel12Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsCommand and Scripting Interpreter2Scheduled Task/Job1Process Injection111Disable or Modify Tools1LSASS MemorySecurity Software Discovery121Remote Desktop ProtocolArchive Collected Data1Exfiltration Over BluetoothNon-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsScheduled Task/Job1Registry Run Keys / Startup Folder121Scheduled Task/Job1Virtualization/Sandbox Evasion21Security Account ManagerVirtualization/Sandbox Evasion21SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationApplication Layer Protocol12Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsScripting11Services File Permissions Weakness1Registry Run Keys / Startup Folder121Process Injection111NTDSRemote System Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsExploitation for Client Execution2Network Logon ScriptServices File Permissions Weakness1Scripting11LSA SecretsFile and Directory Discovery2SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonObfuscated Files or Information2Cached Domain CredentialsSystem Information Discovery12VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsServices File Permissions Weakness1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 472610 URL: https://siasky.net/7ABRkLTF... Startdate: 27/08/2021 Architecture: WINDOWS Score: 100 111 ip-api.com 2->111 145 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->145 147 Multi AV Scanner detection for domain / URL 2->147 149 Yara detected STRRAT 2->149 151 8 other signatures 2->151 14 chrome.exe 17 411 2->14         started        17 wscript.exe 2->17         started        20 wscript.exe 2->20         started        22 5 other processes 2->22 signatures3 process4 dnsIp5 123 192.168.2.1 unknown unknown 14->123 125 192.168.2.23 unknown unknown 14->125 127 239.255.255.250 unknown Reserved 14->127 25 unarchiver.exe 5 14->25         started        27 chrome.exe 18 14->27         started        30 chrome.exe 2 1 14->30         started        129 javaslinns.duia.ro 17->129 137 System process connects to network (likely due to code injection or exploit) 17->137 139 Drops script or batch files to the startup folder 17->139 141 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 17->141 131 javaslinns.duia.ro 20->131 143 Creates multiple autostart registry keys 20->143 133 javaslinns.duia.ro 22->133 95 C:\Users\user\AppData\...\StbzgazmPv.js, ASCII 22->95 dropped file6 signatures7 process8 dnsIp9 32 cmd.exe 2 2 25->32         started        35 7za.exe 2 25->35         started        113 siasky.net 95.214.54.64, 443, 49706, 49708 PL-SKYTECH-ASPL Poland 27->113 115 accounts.google.com 142.250.181.237, 443, 49704 GOOGLEUS United States 27->115 117 5 other IPs or domains 27->117 process10 file11 135 Uses schtasks.exe or at.exe to add and modify task schedules 32->135 38 wscript.exe 3 32->38         started        41 conhost.exe 32->41         started        43 conhost.exe 32->43         started        45 schtasks.exe 32->45         started        93 C:\Users\user\...\Wupos_receipts_jpg.js, ASCII 35->93 dropped 47 conhost.exe 35->47         started        signatures12 process13 signatures14 153 Drops script or batch files to the startup folder 38->153 155 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 38->155 49 javaw.exe 28 38->49         started        52 wscript.exe 2 13 38->52         started        process15 dnsIp16 103 github.com 140.82.121.4, 443, 49739 GITHUBUS United States 49->103 105 github-releases.githubusercontent.com 185.199.110.154, 443, 49740 FASTLYUS Netherlands 49->105 109 2 other IPs or domains 49->109 54 java.exe 49->54         started        58 icacls.exe 49->58         started        107 javaslinns.duia.ro 79.134.225.10, 49731, 49743, 49745 FINK-TELECOM-SERVICESCH Switzerland 52->107 process17 file18 97 C:\Users\user\AppData\...\kneblehwpu.txt, Zip 54->97 dropped 99 C:\Users\user\...\jna451039507687099056.dll, PE32 54->99 dropped 157 Creates multiple autostart registry keys 54->157 60 java.exe 54->60         started        64 conhost.exe 54->64         started        66 cmd.exe 54->66         started        68 conhost.exe 58->68         started        signatures19 process20 dnsIp21 119 divineconnect.ddns.net 144.168.231.6, 49751, 7777 SERVER-MANIACA Canada 60->119 121 str-master.pw 60->121 101 C:\Users\user\...\jna5379228857879502981.dll, PE32 60->101 dropped 70 cmd.exe 60->70         started        72 cmd.exe 60->72         started        74 cmd.exe 60->74         started        76 2 other processes 60->76 file22 process23 process24 78 WMIC.exe 70->78         started        81 conhost.exe 70->81         started        83 conhost.exe 72->83         started        85 WMIC.exe 72->85         started        87 conhost.exe 74->87         started        89 WMIC.exe 74->89         started        91 conhost.exe 76->91         started        signatures25 159 Queries sensitive service information (via WMI, Win32_LogicalDisk, often done to detect sandboxes) 78->159

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.