Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar

Overview

General Information

Sample Name:CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
Analysis ID:679298
MD5:8535942f58ba61ce5ce0755d7570f22f
SHA1:fb6c95fa16c2e91f22ac4e8d73233962e645c6bd
SHA256:308dcf6540932d062dd10a24fefd25d6660afe60dea76c9fa5612ae0f4cb4cda
Tags:jar
Infos:

Detection

Score:48
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Multi AV Scanner detection for submitted file
Sample execution stops while process was sleeping (likely an evasion)
Uses cacls to modify the permissions of files
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Uses code obfuscation techniques (call, push, ret)
Creates a process in suspended mode (likely to inject code)
Contains functionality to access loader functionality (e.g. LdrGetProcedureAddress)
Contains functionality to detect virtual machines (SLDT)
Contains functionality to query CPU information (cpuid)

Classification

Process Tree

  • System is w10x64
  • cmd.exe (PID: 6096 cmdline: C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"" >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 3896 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 5600 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar" MD5: 28733BA8C383E865338638DF5196E6FE)
      • icacls.exe (PID: 1504 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 3292 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

No yara matches

Sigma Signatures

No Sigma rule has matched

Snort Signatures

No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

barindex
Multi AV Scanner detection for submitted file
Source: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jarVirustotal: Detection: 11%Perma Link
Source: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jarReversingLabs: Detection: 12%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: java.exe, 00000002.00000002.256561427.0000000009DC5000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.exe, 00000002.00000002.256626377.0000000009DD6000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.oracle.com/
Source: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jarVirustotal: Detection: 11%
Source: CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jarReversingLabs: Detection: 12%
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
Source: classification engineClassification label: mal48.winJAR@7/2@0/0
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3292:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3896:120:WilError_01
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026CB377 push 00000000h; mov dword ptr [esp], esp
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026CA1CA push ecx; ret
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026CA1DB push ecx; ret
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026CC437 push 00000000h; mov dword ptr [esp], esp
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026CBB27 push 00000000h; mov dword ptr [esp], esp
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026CB907 push 00000000h; mov dword ptr [esp], esp
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026D2D44 push eax; retf
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02770F0D push ecx; retn 0022h
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02769391 push cs; retf
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02770C53 push es; iretd
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_027710A0 sldt word ptr [eax]
Source: java.exe, 00000002.00000003.243834912.0000000014CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000003.243834912.0000000014CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000002.00000002.253764910.00000000025C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.253764910.00000000025C0000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: |[Ljava/lang/VirtualMachineError;
Source: java.exe, 00000002.00000003.243834912.0000000014CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000003.243834912.0000000014CC1000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026C4864 LdrInitializeThunk,
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeMemory protected: page read and write | page guard
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_026C0380 cpuid

Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid Accounts1
Command and Scripting Interpreter		1
Services File Permissions Weakness		1
Services File Permissions Weakness		1
Services File Permissions Weakness		OS Credential Dumping1
Security Software Discovery		Remote ServicesData from Local SystemExfiltration Over Other Network MediumData ObfuscationEavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Default AccountsScheduled Task/JobBoot or Logon Initialization Scripts11
Process Injection		1
Virtualization/Sandbox Evasion		LSASS Memory1
Virtualization/Sandbox Evasion		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)1
Disable or Modify Tools		Security Account Manager11
System Information Discovery		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
Process Injection		NTDSSystem Network Configuration DiscoveryDistributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script1
Obfuscated Files or Information		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 679298 Sample: CMTNGTFESJRKMAMSPWITGCAGOVG... Startdate: 05/08/2022 Architecture: WINDOWS Score: 48 18 Multi AV Scanner detection for submitted file 2->18 8 cmd.exe 2 2->8         started        process3 process4 10 java.exe 5 8->10         started        12 conhost.exe 8->12         started        process5 14 icacls.exe 1 10->14         started        process6 16 conhost.exe 14->16         started       

Screenshots

Thumbnails

This section contains all screenshots as thumbnails, including those not shown in the slideshow.


windows-stand

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

SourceDetectionScannerLabelLink
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar11%VirustotalBrowse
CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar12%ReversingLabsByteCode-JAVA.Downloader.BanLoad

Dropped Files

No Antivirus matches

Unpacked PE Files

No Antivirus matches

Domains

No Antivirus matches

URLs

SourceDetectionScannerLabelLink
http://bugreport.sun.com/bugreport/0%URL Reputationsafe

Domains and IPs

Contacted Domains

No contacted domains info

URLs from Memory and Binaries

NameSourceMaliciousAntivirus DetectionReputation
http://java.oracle.com/java.exe, 00000002.00000002.256626377.0000000009DD6000.00000004.00000800.00020000.00000000.sdmpfalse
    		high
    http://bugreport.sun.com/bugreport/java.exe, 00000002.00000002.256561427.0000000009DC5000.00000004.00000800.00020000.00000000.sdmpfalse
    • URL Reputation: safe
    		unknown

    World Map of Contacted IPs

    No contacted IP infos

    General Information

    Joe Sandbox Version:35.0.0 Citrine
    Analysis ID:679298
    Start date and time: 05/08/202214:58:092022-08-05 14:58:09 +02:00
    Joe Sandbox Product:CloudBasic
    Overall analysis duration:0h 5m 57s
    Hypervisor based Inspection enabled:false
    Report type:light
    Sample file name:CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
    Cookbook file name:defaultwindowsfilecookbook.jbs
    Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
    Number of analysed new started processes analysed:30
    Number of new started drivers analysed:0
    Number of existing processes analysed:0
    Number of existing drivers analysed:0
    Number of injected processes analysed:0
    Technologies:
    • HCA enabled
    • EGA enabled
    • HDC enabled
    • GSI enabled (Java)
    • AMSI enabled
    Analysis Mode:default
    Analysis stop reason:Timeout
    Detection:MAL
    Classification:mal48.winJAR@7/2@0/0
    EGA Information:Failed
    HDC Information:Failed
    HCA Information:Failed
    Cookbook Comments:
    • Found application associated with file extension: .jar
    • Adjust boot time
    • Enable AMSI

    Warnings

    • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe, wuapihost.exe
    • Excluded IPs from analysis (whitelisted): 23.211.6.115
    • Excluded domains from analysis (whitelisted): www.bing.com, ris.api.iris.microsoft.com, e12564.dspb.akamaiedge.net, fs.microsoft.com, login.live.com, store-images.s-microsoft.com, sls.update.microsoft.com, ctldl.windowsupdate.com, store-images.s-microsoft.com-c.edgekey.net, displaycatalog.mp.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com
    • Execution Graph export aborted for target java.exe, PID 5600 because it is empty
    • Not all processes where analyzed, report is missing behavior information
    • Report size getting too big, too many NtSetInformationFile calls found.

    Simulations

    Behavior and APIs

    No simulations

    Joe Sandbox View / Context

    IPs

    No context

    Domains

    No context

    ASNs

    No context

    JA3 Fingerprints

    No context

    Dropped Files

    No context

    Created / dropped Files

    C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp

    Download File
    Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):57
    Entropy (8bit):4.959654268360928
    Encrypted:false
    SSDEEP:3:oFj4I5vpN6yUcLGy:oJ5X6y3Gy
    MD5:50FFACE018E954E57A3064FA5AC815F0
    SHA1:BCB770C81414E9167EC1A5996AB3E5242C243625
    SHA-256:761F173922CEBB30E27C0DDE3653E47FBD51D88E64BB7380A0CB42E79719E097
    SHA-512:ACA8BCA1BA7E31A6117DC2E302EFD4365151DF46976C76327C98A10083B423C4571568C5A8536EA782E90D2EDD68ED55ACEDC842FEFD3395A23B7A191F48AB89
    Malicious:false
    Reputation:low
    Preview:C:\Program Files (x86)\Java\jre1.8.0_211..1659736753234..

    C:\cmdlinestart.log

    Download File
    Process:C:\Windows\SysWOW64\cmd.exe
    File Type:ASCII text, with CRLF line terminators
    Category:dropped
    Size (bytes):571
    Entropy (8bit):5.384684975508595
    Encrypted:false
    SSDEEP:12:FqCsixTF+jtQi9rOR+KZuT/Ji8aZaZEUXqZy:FnfkSiqZgCCEUXqZy
    MD5:D1A720409E5451F184E38240DFA59AFA
    SHA1:73E1D324B9C28F94BB2E8923EE62F744A7B3B34F
    SHA-256:087D7A6DED2BD3CF265A308AB442F44547B16B2B5D6CF6C51050FDD41E0BFD95
    SHA-512:336290A2577ACA129F69B1855B775EBA159850B01C240462877E031C757EEFAD1D761C795D77395C3A3B34CF211188035A7258F04E6B2D34998155E30E632BF5
    Malicious:false
    Reputation:low
    Preview:gdcqsztapnkzjdjszyfedn..ndqhrhihkyda..ggtaqtvnojcl..Exception in thread "main" java.io.FileNotFoundException: C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar;C:\Users\user\AppData\Local\Temp\jartracer.jar (The filename, directory name, or volume label syntax is incorrect)...at java.io.FileInputStream.open0(Native Method)...at java.io.FileInputStream.open(Unknown Source)...at java.io.FileInputStream.<init>(Unknown Source)...at java.io.FileInputStream.<init>(Unknown Source)...at h.O14KCE1B0Hl1(Unknown Source)...at i.main(Unknown Source)..

    Static File Info

    General

    File type:Zip archive data, at least v2.0 to extract
    Entropy (8bit):7.998158113500637
    TrID:
    • Java Archive (13504/1) 62.80%
    • ZIP compressed archive (8000/1) 37.20%
    File name:CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar
    File size:189561
    MD5:8535942f58ba61ce5ce0755d7570f22f
    SHA1:fb6c95fa16c2e91f22ac4e8d73233962e645c6bd
    SHA256:308dcf6540932d062dd10a24fefd25d6660afe60dea76c9fa5612ae0f4cb4cda
    SHA512:9ac96be4ae70460ee80918598584d88e765173b5f143eb094c0f66c5d4a942370c45ff60599aedcee38fbf15901a0e198f11057821bf2b8907c4a9a9387e10c9
    SSDEEP:3072:CFysmYDJzvFDX7kwZcOPgDffPJpVww1CtoVZQzDeQ15vChXbn24RmTzIBTjIg:lsdJzdksPgDf3jVpCtoj6DeQ112XjEoD
    TLSH:7004133C51562C0AC0FA51F69924CAFBEFEE083BE45758B12FF715CEA4416839F6124A
    File Content Preview:PK........pO.UJ..1s...........META-INF/MANIFEST.MF.M..LK-...K-*....R0.3..r.C.q,HL.HU...%...,x..s...u..K2..........].J.v.=.x#.C.$.K.......T..........y..\...y.`#..2y..PK.........N.U..L.....Iw......h.class..gtk.u&..xU~...$..$..yd.9Xj..s...s..n/1. .... .&....

    File Icon

    Icon Hash:d28c8e8ea2868ad6

    Network Behavior

    No network behavior found

    Statistics

    Behavior

    Click to jump to process

    System Behavior

    General

    Target ID:0
    Start time:14:59:09
    Start date:05/08/2022
    Path:C:\Windows\SysWOW64\cmd.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"" >> C:\cmdlinestart.log 2>&1
    Imagebase:0xc20000
    File size:232960 bytes
    MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:1
    Start time:14:59:09
    Start date:05/08/2022
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7c9170000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:2
    Start time:14:59:10
    Start date:05/08/2022
    Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
    Wow64 process (32bit):true
    Commandline:"C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\CMTNGTFESJRKMAMSPWITGCAGOVGAFQODETEHLFVAACNQUJQP.jar"
    Imagebase:0x320000
    File size:192376 bytes
    MD5 hash:28733BA8C383E865338638DF5196E6FE
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:Java
    Reputation:high

    General

    Target ID:3
    Start time:14:59:13
    Start date:05/08/2022
    Path:C:\Windows\SysWOW64\icacls.exe
    Wow64 process (32bit):true
    Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
    Imagebase:0x280000
    File size:29696 bytes
    MD5 hash:FF0D1D4317A44C951240FAE75075D501
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    General

    Target ID:4
    Start time:14:59:14
    Start date:05/08/2022
    Path:C:\Windows\System32\conhost.exe
    Wow64 process (32bit):false
    Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
    Imagebase:0x7ff7c9170000
    File size:625664 bytes
    MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
    Has elevated privileges:true
    Has administrator privileges:true
    Programmed in:C, C++ or other language
    Reputation:high

    Disassembly

    No disassembly