Summary | ZeroBOX

Category	Machine	Started	Completed
FILE	s1_win7_x6402	Dec. 14, 2023, 10:13 a.m.	Dec. 14, 2023, 10:15 a.m.

Size	323.9KB
Type	Composite Document File V2 Document, Little Endian, Os: Windows, Version 6.0, MSI Installer, Code page: 1252, Title: Installation Database, Subject: Microsoft Software Update for Web Folders (English) 14, Author: Microsoft Corporation, Keywords: Installer, MSI, Database, Release, Comments: This Installer database contains the logic and data required to install Microsoft Software Update for Web Folders (English) 14., Template: Intel;1033, Revision Number: {D09D1C77-A5D3-48C0-B530-C9C18BAF2545}, Create Time/Date: Tue Mar 30 17:26:02 2010, Last Saved Time/Date: Tue Mar 30 17:26:02 2010, Number of Pages: 200, Number of Words: 2, Name of Creating Application: Windows Installer XML (3.0.5419.0), Security: 2
MD5	`c2cfe1bc4cc6ec14cd510cd4ac40d6f5`
SHA256	`a4568e582c1aefd53d5e23a8cf09d5d7ed8af4af1ffebe75dbf8f743df5ad11b`
CRC32	`124F9B7D`
ssdeep	`6144:01kCix3B0FqADA5QDjkeVJDtgslBlYOz1hPkoVsdVhacijUU:06CkA05QDIeVttgOBRzLZydV7gz`
Yara	Microsoft_Office_File_Zero - Microsoft Office File Antivirus - Contains references to security software

java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar C:\Users\test22\AppData\Local\Temp\ORDER-2320884.jar
3044
- java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\ORDER-2320884.jar"
  292
  - cmd.exe cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"
    1688
    - schtasks.exe schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"
      664
  - java.exe "C:\Program Files (x86)\Java\jre1.8.0_131\bin\java.exe" -jar "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"
    1628

Name	Response	Post-Analysis Lookup
objects.githubusercontent.com	A 185.199.109.133 A 185.199.111.133 A 185.199.110.133 A 185.199.108.133	185.199.108.133
repo1.maven.org	A 151.101.196.209 CNAME dualstack.sonatype.map.fastly.net	199.232.196.209
jinvestments.duckdns.org	A 103.47.144.44	103.47.144.44
github.com	A 20.200.245.247	20.200.245.247

IP Address	Status	Action
103.47.144.44	Active	Moloch
151.101.196.209	Active	Moloch
164.124.101.2	Active	Moloch
185.199.109.133	Active	Moloch
20.200.245.247	Active	Moloch

Suricata Alerts

Flow	SID	Signature	Category
UDP 192.168.56.102:53778 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:53778 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity
UDP 192.168.56.102:51405 -> 164.124.101.2:53	2042936	ET INFO DYNAMIC_DNS Query to a *.duckdns .org Domain	Potentially Bad Traffic
UDP 192.168.56.102:51405 -> 164.124.101.2:53	2022918	ET INFO DYNAMIC_DNS Query to *.duckdns. Domain	Misc activity

Suricata TLS

Flow	Issuer	Subject	Fingerprint
TLS 1.2 192.168.56.102:49163 151.101.196.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3
TLS 1.2 192.168.56.102:49166 185.199.109.133:443	C=US, O=DigiCert Inc, CN=DigiCert TLS RSA SHA256 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=*.github.io	a1:46:14:c7:2a:1d:52:79:f6:aa:2b:b2:c5:0a:3b:d3:f5:02:06:75
TLS 1.2 192.168.56.102:49165 151.101.196.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3
TLS 1.2 192.168.56.102:49162 20.200.245.247:443	C=US, O=DigiCert Inc, CN=DigiCert TLS Hybrid ECC SHA384 2020 CA1	C=US, ST=California, L=San Francisco, O=GitHub, Inc., CN=github.com	a3:b5:9e:5f:e8:84:ee:1f:34:d9:8e:ef:85:8e:3f:b6:62:ac:10:4a
TLS 1.2 192.168.56.102:49164 151.101.196.209:443	C=BE, O=GlobalSign nv-sa, CN=GlobalSign Atlas R3 DV TLS CA 2023 Q1	CN=repo1.maven.org	94:bc:2a:d0:1a:cf:41:94:d4:9a:de:44:ab:b4:42:39:8a:f6:bf:f3

Queries for the computername (1 event)

Time & API	Arguments	Status	Return	Repeated
GetComputerNameW Dec. 14, 2023, 10:13 a.m.	computer_name: TEST22-PC	1	1	0

Command line console output was observed (13 events)

Time & API	Arguments	Status	Return
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: ################################################ # # # ## # # ## ### ### ## ### # # # # # # # # # # # # # # # # ### # # ### # # # ## # # # # # ### ### # # # ### # # ### # # # # Obfuscation by Allatori Obfuscator v8.4 DEMO # # # # http://www.allatori.com # # # ################################################ console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Inside main method console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Inside constructor console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Executing else console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Inside InitLib console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Inside completeJob console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: returned false console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: C:\Users\test22\lib\jna-5.5.0.jar console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Downloaded: https://github.com/kristian/system-hook/releases/download/3.5/system-hook-3.5.jar console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Downloaded: https://repo1.maven.org/maven2/net/java/dev/jna/jna/5.5.0/jna-5.5.0.jar console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Downloaded: https://repo1.maven.org/maven2/net/java/dev/jna/jna-platform/5.5.0/jna-platform-5.5.0.jar console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Downloaded: https://repo1.maven.org/maven2/org/xerial/sqlite-jdbc/3.14.2.1/sqlite-jdbc-3.14.2.1.jar console_handle: 0x00000007	1	1
WriteConsoleA Dec. 14, 2023, 10:13 a.m.	buffer: Waiting for dependency console_handle: 0x00000007	1	1

Checks amount of memory in system, this can be used to detect virtual machines that have a low amount of memory available (1 event)

Time & API	Arguments	Status	Return	Repeated
GlobalMemoryStatusEx Dec. 14, 2023, 10:13 a.m.		1	1	0

One or more processes crashed (10 events)

Time & API	Arguments	Status
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28a0202 registers.esp: 17364988 registers.edi: 1 registers.eax: 6 registers.ebp: 1948636352 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: 0x28a44e0 0x28a4854 0x28a4854 0x28a4854 0x28a4854 0x28a4854 0x28a4854 0x28a4854 0x28a4854 0x28a4854 0x28a47b4 0x28a4854 0x28a4854 0x28a4854 0x28a47b4 0x28a47b4 0x28a4854 0x28a4854 0x28a4854 0x28a47b4 0x28a47b4 0x28a47b4 0x28a4854 0x28a4854 0x28a4854 0x28a4889 0x28a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7402af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x740f13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7402afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7402b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7402b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73fcf36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7404dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7404e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x74092ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x742fc556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x742fc600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 89 0c 0d 00 00 3a 00 81 3d 88 82 25 74 00 00 00 exception.instruction: mov dword ptr [ecx + 0x3a0000], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28ad418 registers.esp: 367194412 registers.edi: 352676864 registers.eax: 0 registers.ebp: 367194452 registers.edx: 2130279412 registers.ebx: 369779976 registers.esi: 369779968 registers.ecx: 3456	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: 0x29ee8e8 0x28a44e0 0x28a44e0 0x28a44e0 0x28a44e0 0x28a44e0 0x28a4854 0x28a4854 0x28a4854 0x29ed964 0x28a44e0 0x28a44e0 0x28a44e0 0x29ed904 0x28a4854 0x28a4854 0x28a4854 0x28a4889 0x28a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7402af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x740f13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7402afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7402b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7402b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73fcf36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7404dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7404e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x74092ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x742fc556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x742fc600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 85 05 00 01 39 00 8b ca 89 7c 24 70 89 5c 24 74 exception.instruction: test eax, dword ptr [0x390100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x29de80d registers.esp: 367651136 registers.edi: 1244051726 registers.eax: 7 registers.ebp: 367651548 registers.edx: 1790113702 registers.ebx: 930134755 registers.esi: 3584587008 registers.ecx: 1	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: 0x29eff78 0x28a4854 0x28a4854 0x28a4854 0x28a4889 0x28a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7402af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x740f13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7402afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7402b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7402b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73fcf36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7404dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7404e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x74092ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x742fc556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x742fc600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 89 0c 0d 00 00 3a 00 81 3d 88 82 25 74 00 00 00 exception.instruction: mov dword ptr [ecx + 0x3a0000], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x29efd97 registers.esp: 368439592 registers.edi: 352677888 registers.eax: 368431328 registers.ebp: 368439608 registers.edx: 2130267124 registers.ebx: 0 registers.esi: 0 registers.ecx: 3584	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: 0x29ee8e8 0x28a44e0 0x28a44e0 0x28a44e0 0x28a44e0 0x28a44e0 0x28a4854 0x28a4854 0x28a4854 0x29ed964 0x28a44e0 0x28a44e0 0x28a44e0 0x29ed904 0x28a4854 0x28a4854 0x28a4854 0x28a4889 0x28a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x7402af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x740f13ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x7402afde JVM_GetThreadStateNames+0x4d5b6 _JVM_EnqueueOperation@20-0x616fa jvm+0x15b166 @ 0x7402b166 JVM_GetThreadStateNames+0x4d627 _JVM_EnqueueOperation@20-0x61689 jvm+0x15b1d7 @ 0x7402b1d7 jio_printf+0x9f _JVM_StartThread@8-0x11 jvm+0xff36f @ 0x73fcf36f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x7404dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x7404e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x74092ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x742fc556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x742fc600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 85 05 00 01 39 00 8b ca 89 7c 24 70 89 5c 24 74 exception.instruction: test eax, dword ptr [0x390100] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x29de80d registers.esp: 368437648 registers.edi: 577532074 registers.eax: 6 registers.ebp: 368438060 registers.edx: 3941979934 registers.ebx: 1356222934 registers.esi: 3892288320 registers.ecx: 1	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28a0202 registers.esp: 16710068 registers.edi: 1 registers.eax: 6 registers.ebp: 1947718848 registers.edx: 0 registers.ebx: 16910336 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x73df7273 _JVM_SetVmMemoryPressure@4-0x127dc jvm+0x7364 @ 0x73df7364 _JVM_GetManagementExt@4+0x932f AsyncGetCallTrace-0xb1131 jvm+0x2482f @ 0x73e1482f _JVM_FindSignal@4+0xf6c00 ??_7DCmdFactory@@6B@-0x10134 jvm+0x2b3f80 @ 0x740a3f80 _JVM_FindSignal@4+0xd16b1 ??_7DCmdFactory@@6B@-0x35683 jvm+0x28ea31 @ 0x7407ea31 _JVM_FindSignal@4+0xef44a ??_7DCmdFactory@@6B@-0x178ea jvm+0x2ac7ca @ 0x7409c7ca _JVM_FindSignal@4+0xdd796 ??_7DCmdFactory@@6B@-0x2959e jvm+0x29ab16 @ 0x7408ab16 _JVM_FindSignal@4+0xcd04f ??_7DCmdFactory@@6B@-0x39ce5 jvm+0x28a3cf @ 0x7407a3cf _JVM_FindSignal@4+0xcd3e9 ??_7DCmdFactory@@6B@-0x3994b jvm+0x28a769 @ 0x7407a769 _JVM_FindSignal@4+0xcd4ba ??_7DCmdFactory@@6B@-0x3987a jvm+0x28a83a @ 0x7407a83a _JVM_FindSignal@4+0xcd628 ??_7DCmdFactory@@6B@-0x3970c jvm+0x28a9a8 @ 0x7407a9a8 _JVM_FindSignal@4+0xcd8a2 ??_7DCmdFactory@@6B@-0x39492 jvm+0x28ac22 @ 0x7407ac22 _JVM_GetManagementExt@4+0x5519a AsyncGetCallTrace-0x652c6 jvm+0x7069a @ 0x73e6069a _JVM_GetManagementExt@4+0x5594f AsyncGetCallTrace-0x64b11 jvm+0x70e4f @ 0x73e60e4f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x73f6dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x73f6e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73fb2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x746ac556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x746ac600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 17 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x73df7205 registers.esp: 357887540 registers.edi: 350913536 registers.eax: 128 registers.ebp: 357887540 registers.edx: 524288 registers.ebx: 351621696 registers.esi: 350913536 registers.ecx: 8650752	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: 0x29ab9b8 0x28a4854 0x28a4854 0x28a4854 0x28a4854 0x28a0697 JVM_GetThreadStateNames+0x4d395 _JVM_EnqueueOperation@20-0x6191b jvm+0x15af45 @ 0x73f4af45 _JVM_FindSignal@4+0x6402e ??_7DCmdFactory@@6B@-0xa2d06 jvm+0x2213ae @ 0x740113ae JVM_GetThreadStateNames+0x4d42e _JVM_EnqueueOperation@20-0x61882 jvm+0x15afde @ 0x73f4afde JNI_GetCreatedJavaVMs+0x6f27 JNI_CreateJavaVM-0xa4f9 jvm+0xdcb97 @ 0x73eccb97 JNI_GetCreatedJavaVMs+0xf4bf JNI_CreateJavaVM-0x1f61 jvm+0xe512f @ 0x73ed512f java+0x229e @ 0x119229e java+0xae9f @ 0x119ae9f java+0xaf29 @ 0x119af29 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: 89 0c 0d 00 00 84 00 81 3d 88 82 17 74 00 00 00 exception.instruction: mov dword ptr [ecx + 0x840000], ecx exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x29ab7d7 registers.esp: 16710216 registers.edi: 14924800 registers.eax: 16701952 registers.ebp: 16710232 registers.edx: 2130553844 registers.ebx: 0 registers.esi: 0 registers.ecx: 1920	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: exception.instruction_r: 8b 06 8d b5 f8 00 00 00 c5 fe 7f 06 c5 fe 7f 7e exception.instruction: mov eax, dword ptr [esi] exception.exception_code: 0xc0000005 exception.symbol: exception.address: 0x28a0202 registers.esp: 16513136 registers.edi: 1 registers.eax: 6 registers.ebp: 1947718848 registers.edx: 0 registers.ebx: 133120 registers.esi: 0 registers.ecx: 3405691582	1
__exception__ Dec. 14, 2023, 10:13 a.m.	stacktrace: _JVM_SetVmMemoryPressure@4-0x128cd jvm+0x7273 @ 0x73df7273 _JVM_SetVmMemoryPressure@4-0x127dc jvm+0x7364 @ 0x73df7364 _JVM_GetManagementExt@4+0x932f AsyncGetCallTrace-0xb1131 jvm+0x2482f @ 0x73e1482f _JVM_FindSignal@4+0xf6c00 ??_7DCmdFactory@@6B@-0x10134 jvm+0x2b3f80 @ 0x740a3f80 _JVM_FindSignal@4+0xd16b1 ??_7DCmdFactory@@6B@-0x35683 jvm+0x28ea31 @ 0x7407ea31 _JVM_FindSignal@4+0xef44a ??_7DCmdFactory@@6B@-0x178ea jvm+0x2ac7ca @ 0x7409c7ca _JVM_FindSignal@4+0xdd796 ??_7DCmdFactory@@6B@-0x2959e jvm+0x29ab16 @ 0x7408ab16 _JVM_FindSignal@4+0xcd04f ??_7DCmdFactory@@6B@-0x39ce5 jvm+0x28a3cf @ 0x7407a3cf _JVM_FindSignal@4+0xcd3e9 ??_7DCmdFactory@@6B@-0x3994b jvm+0x28a769 @ 0x7407a769 _JVM_FindSignal@4+0xcd4ba ??_7DCmdFactory@@6B@-0x3987a jvm+0x28a83a @ 0x7407a83a _JVM_FindSignal@4+0xcd628 ??_7DCmdFactory@@6B@-0x3970c jvm+0x28a9a8 @ 0x7407a9a8 _JVM_FindSignal@4+0xcd8a2 ??_7DCmdFactory@@6B@-0x39492 jvm+0x28ac22 @ 0x7407ac22 _JVM_GetManagementExt@4+0x5519a AsyncGetCallTrace-0x652c6 jvm+0x7069a @ 0x73e6069a _JVM_GetManagementExt@4+0x5594f AsyncGetCallTrace-0x64b11 jvm+0x70e4f @ 0x73e60e4f JVM_GetThreadStateNames+0x70080 _JVM_EnqueueOperation@20-0x3ec30 jvm+0x17dc30 @ 0x73f6dc30 JVM_GetThreadStateNames+0x708fa _JVM_EnqueueOperation@20-0x3e3b6 jvm+0x17e4aa @ 0x73f6e4aa _JVM_FindSignal@4+0x5b46 ??_7DCmdFactory@@6B@-0x1011ee jvm+0x1c2ec6 @ 0x73fb2ec6 _endthreadex+0x3a _beginthreadex-0xab msvcr100+0x5c556 @ 0x743fc556 _endthreadex+0xe4 _beginthreadex-0x1 msvcr100+0x5c600 @ 0x743fc600 BaseThreadInitThunk+0x12 VerifyConsoleIoHandle-0xb3 kernel32+0x133ca @ 0x74e833ca RtlInitializeExceptionChain+0x63 RtlAllocateActivationContextStack-0xa1 ntdll+0x39ed2 @ 0x774a9ed2 RtlInitializeExceptionChain+0x36 RtlAllocateActivationContextStack-0xce ntdll+0x39ea5 @ 0x774a9ea5 exception.instruction_r: c7 04 08 01 00 00 00 5d c3 cc cc 83 3d 68 80 17 exception.instruction: mov dword ptr [eax + ecx], 1 exception.exception_code: 0xc0000005 exception.symbol: _JVM_SetVmMemoryPressure@4-0x1293b jvm+0x7205 exception.address: 0x73df7205 registers.esp: 358674484 registers.edi: 350916608 registers.eax: 512 registers.ebp: 358674484 registers.edx: 524288 registers.ebx: 351503128 registers.esi: 350916608 registers.ecx: 4259840	1

One or more potentially interesting buffers were extracted, these generally contain injected code, configuration data, etc.

Connects to a Dynamic DNS Domain (1 event)

domain

jinvestments.duckdns.org

Allocates read-write-execute memory (usually to unpack itself) (50 out of 100 events)

Time & API	Arguments	Status
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02908000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02918000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02920000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02928000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02930000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02938000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02940000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02948000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02950000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02958000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02960000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02968000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02970000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02978000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02980000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02988000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02990000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02998000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029a8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029b8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 3044 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x029f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 163840 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028a0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028c8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028d8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028e8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f0000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x028f8000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02900000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02908000 process_handle: 0xffffffff	1
NtProtectVirtualMemory Dec. 14, 2023, 10:13 a.m.	process_identifier: 292 stack_dep_bypass: 0 stack_pivoted: 0 heap_dep_bypass: 1 length: 32768 protection: 64 (PAGE_EXECUTE_READWRITE) base_address: 0x02910000 process_handle: 0xffffffff	1

Creates executable files on the filesystem (1 event)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna744424494011297200.dll

Creates a suspicious process (2 events)

cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"

Drops an executable to the user AppData folder (2 events)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna744424494011297200.dll
file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna4115874404283386990.dll

Checks adapter addresses which can be used to detect virtual network interfaces (1 event)

Time & API	Arguments	Status	Return	Repeated
GetAdaptersAddresses Dec. 14, 2023, 10:13 a.m.	flags: 28 family: 0	1	0	0

Uses Windows utilities for basic Windows functionality (2 events)

cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"

Installs itself for autorun at Windows startup (6 events)

reg_key	HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run\ORDER-2320884	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"
reg_key	HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\ORDER-2320884	reg_value	"C:\Program Files (x86)\Java\jre1.8.0_131\bin\javaw.exe" -jar "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"
file	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-2320884.jar
file	C:\Users\test22\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ORDER-2320884.jar
cmdline	schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"
cmdline	cmd /c schtasks /create /sc minute /mo 30 /tn Skype /tr "C:\Users\test22\AppData\Roaming\ORDER-2320884.jar"

The process java.exe wrote an executable file to disk (1 event)

file	C:\Users\test22\AppData\Local\Temp\jna--877171118\jna744424494011297200.dll

File has been identified by 21 AntiVirus engines on VirusTotal as malicious (21 events)

McAfee	JAVA/Strrat.b
Avast	Java:Malware-gen [Trj]
Kaspersky	HEUR:Backdoor.Java.Generic
BitDefender	Java.Trojan.GenericGBA.31632
NANO-Antivirus	Exploit.Zip.Heuristic-java.csrvpr
MicroWorld-eScan	Java.Trojan.GenericGBA.31632
DrWeb	Java.Siggen.525
VIPRE	Java.Trojan.GenericGBA.31632
FireEye	Java.Trojan.GenericGBA.31632
Emsisoft	Java.Trojan.GenericGBA.31632 (B)
GData	Trojan.Generic.33742154
Varist	Java/Agent.R.gen!Eldorado
Arcabit	Java.Trojan.GenericGBA.D7B90 [many]
ZoneAlarm	HEUR:Backdoor.Java.Generic
Microsoft	Trojan:Script/Wacatac.B!ml
Google	Detected
ALYac	Exploit.AppendedJar.4.Gen
MAX	malware (ai score=84)
Yandex	Trojan.Etecer.bZ57dt.18
Fortinet	Java/Agent.AZAV!tr
AVG	Java:Malware-gen [Trj]

Connects to IP addresses that are no longer responding to requests (legitimate services will remain up-and-running usually) (19 events)

dead_host	192.168.56.102:49196
dead_host	192.168.56.102:49191
dead_host	192.168.56.102:49200
dead_host	192.168.56.102:49180
dead_host	192.168.56.102:49179
dead_host	192.168.56.102:49190
dead_host	192.168.56.102:49194
dead_host	192.168.56.102:49198
dead_host	192.168.56.102:49185
dead_host	192.168.56.102:49202
dead_host	192.168.56.102:49182
dead_host	192.168.56.102:49189
dead_host	192.168.56.102:49193
dead_host	192.168.56.102:49184
dead_host	192.168.56.102:49197
dead_host	103.47.144.44:44662
dead_host	192.168.56.102:49201
dead_host	192.168.56.102:49181
dead_host	192.168.56.102:49192

ORDER-2320884.jar

Process Tree Toggle all

Network Toggle all

Suricata Toggle all

Suricata Alerts

Suricata TLS

Signatures Toggle All