Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Process created: C:\Windows\System32\reg.exe | Jump to behavior |
Source: global traffic | TCP traffic: 192.168.1.16:49190 -> 81.171.7.178:4040 |
Source: unknown | DNS query: name: vvrhhhnaijyj6s2m.onion.top |
Source: unknown | DNS query: name: vvrhhhnaijyj6s2m.onion.top |
Source: unknown | DNS query: name: vvrhhhnaijyj6s2m.onion.top |
Source: unknown | DNS query: name: vvrhhhnaijyj6s2m.onion.top |
Source: unknown | DNS query: name: vvrhhhnaijyj6s2m.onion.top |
Source: unknown | DNS query: name: blockholder.duckdns.org |
Source: Joe Sandbox View | IP Address: 207.250.29.221 207.250.29.221 |
Source: Joe Sandbox View | ASN Name: FNIS-FidelityNationalInformationServicesIncUS FNIS-FidelityNationalInformationServicesIncUS |
Source: Joe Sandbox View | ASN Name: LEASEWEB-NLNetherlandsNL LEASEWEB-NLNetherlandsNL |
Source: unknown | DNS traffic detected: queries for: vvrhhhnaijyj6s2m.onion.top |
Source: java.exe | String found in binary or memory: file:/// |
Source: java.exe | String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/jce.jar |
Source: java.exe | String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/resources.jar |
Source: java.exe | String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_40/lib/rt.jar |
Source: java.exe | String found in binary or memory: file:///C:/Users/user/AppData/Local/Temp/jartracer.jar |
Source: java.exe | String found in binary or memory: file:///C:/Users/user/Desktop/payment.jar |
Source: java.exe | String found in binary or memory: http:// |
Source: java.exe | String found in binary or memory: http://bugreport.sun.com/bugreport/ |
Source: java.exe | String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html |
Source: java.exe | String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0 |
Source: java.exe | String found in binary or memory: http://crl.chambersign.org/chambersroot.crl |
Source: java.exe | String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0 |
Source: java.exe | String found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl |
Source: java.exe | String found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl0 |
Source: java.exe | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl |
Source: java.exe | String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06 |
Source: java.exe | String found in binary or memory: http://crl.globalsign.net/root-r2.crl |
Source: java.exe | String found in binary or memory: http://crl.globalsign.net/root-r2.crl0 |
Source: java.exe | String found in binary or memory: http://crl.securetrust.com/STCA.crl |
Source: java.exe | String found in binary or memory: http://crl.securetrust.com/STCA.crl0 |
Source: java.exe | String found in binary or memory: http://crl.usertrust.com/UTN-DATACorpSGC.crl |
Source: java.exe | String found in binary or memory: http://crl.usertrust.com/UTN-DATACorpSGC.crl0 |
Source: java.exe | String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl |
Source: java.exe | String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0 |
Source: java.exe | String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl |
Source: java.exe | String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01 |
Source: java.exe | String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl |
Source: java.exe | String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0) |
Source: java.exe | String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl |
Source: java.exe | String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0 |
Source: java.exe | String found in binary or memory: http://null.sun.com/ |
Source: java.exe | String found in binary or memory: http://policy.camerfirma.com |
Source: java.exe | String found in binary or memory: http://policy.camerfirma.com0 |
Source: java.exe | String found in binary or memory: http://repository.swisssign.com/ |
Source: java.exe | String found in binary or memory: http://repository.swisssign.com/0 |
Source: java.exe | String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl |
Source: java.exe | String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0 |
Source: java.exe | String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0 |
Source: java.exe | String found in binary or memory: http://www.certplus.com/CRL/class2.crl |
Source: java.exe | String found in binary or memory: http://www.certplus.com/CRL/class2.crl0 |
Source: java.exe | String found in binary or memory: http://www.certplus.com/CRL/class3P.crl |
Source: java.exe | String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0 |
Source: java.exe | String found in binary or memory: http://www.chambersign.org |
Source: java.exe | String found in binary or memory: http://www.chambersign.org1 |
Source: java.exe | String found in binary or memory: http://www.quovadis.bm |
Source: java.exe | String found in binary or memory: http://www.quovadis.bm0 |
Source: java.exe | String found in binary or memory: http://www.quovadisglobal.com/cps |
Source: java.exe | String found in binary or memory: http://www.quovadisglobal.com/cps0 |
Source: java.exe | String found in binary or memory: http://www.trustcenter.de/crl/v2/tc_class_2_ca_II.crl |
Source: java.exe | String found in binary or memory: http://www.usertrust.com |
Source: java.exe | String found in binary or memory: http://www.usertrust.com1 |
Source: java.exe | String found in binary or memory: http://www.usertrust.com1604 |
Source: java.exe | String found in binary or memory: http://www.valicert.com/ |
Source: java.exe | String found in binary or memory: http://www.valicert.com/1 |
Source: java.exe | String found in binary or memory: https://ocsp.quovadisoffshore.com |
Source: java.exe | String found in binary or memory: https://ocsp.quovadisoffshore.com0 |
Source: java.exe | String found in binary or memory: https://vvrhhhnaijyj6s2m.onion.top/storage/cryptOutput/0.62515200 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49189 |
Source: unknown | Network traffic detected: HTTP traffic on port 49188 -> 443 |
Source: unknown | Network traffic detected: HTTP traffic on port 443 -> 49188 |
Source: unknown | Network traffic detected: HTTP traffic on port 49189 -> 443 |
Source: C:\Windows\System32\reg.exe | Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s "C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe" -jar "C:\Users\user\.6520706727662484494.jar" | Jump to behavior |
Source: C:\Windows\System32\reg.exe | Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s | Jump to behavior |
Source: C:\Windows\System32\reg.exe | Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s | Jump to behavior |
Source: C:\Windows\System32\reg.exe | Registry value created or modified: HKEY_USERS\Software\Microsoft\Windows\CurrentVersion\Run J14bfe7e2dc5:U6c756b657461796c6f72_s | Jump to behavior |
Source: Java tracing | Java Jar sets suspicious JVM global properties: javax.script.AbstractScriptEngine.eval(java.lang.String) on java.lang.System.setProperty("q.main-class","qua.enterprise.qontroller.q4slave.q4local.SlaveMain"); |
Source: Java tracing | Java Jar sets suspicious JVM global properties: javax.script.AbstractScriptEngine.eval(java.lang.String) on java.lang.System.setProperty("q.encryptedPathsPath","/com/indene/impressive/JarvisLungan"); |
Source: C:\Windows\explorer.exe | Directory queried: C:\Users\user\Documents | Jump to behavior |
Source: Java tracing | Executes: javax.script.AbstractScriptEngine.eval(java.lang.String) on com.tryptogen.redfin.Outcaste.yezCheck=com.indene.DecayPray.getNodiPacs().getDeclaredMethod("defineClass", com.indene.De |
Source: Java tracing | Executes: java.lang.ProcessBuilder(java.lang.String[]) on c:\program files\java\jre1.8.0_40\bin\java.exe -jar c:\users\user\.6520706727662484494.jar |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | File read: C:\Windows\System32\drivers\etc\hosts | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\'' |
Source: classification engine | Classification label: mal68.expl.troj.winJAR@9/4@8/3 |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | File created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-312302014-279660585-3511680526-1004\83aa4cc77f591dfc2374580bbd95f6ba_041d84af-7e76-450d-8340-55db3c73c359 | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | File created: C:\Users\user~1\AppData\Local\Temp\hsperfdata_user | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Section loaded: C:\Program Files\Java\jre1.8.0_40\bin\java.dll | Jump to behavior |
Source: unknown | Process created: C:\Windows\explorer.exe |
Source: unknown | Process created: C:\Windows\explorer.exe |
Source: C:\Windows\explorer.exe | File read: C:\Program Files\desktop.ini | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers | Jump to behavior |
Source: unknown | Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar'' >> C:\cmdlinestart.log 2>&1 | |
Source: unknown | Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar' | |
Source: unknown | Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user\.6520706727662484494.jar | |
Source: unknown | Process created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\'' | |
Source: unknown | Process created: C:\Windows\explorer.exe explorer.exe 'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe' -jar 'C:\Users\user\.6520706727662484494.jar' | |
Source: unknown | Process created: C:\Windows\explorer.exe C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding | |
Source: C:\Windows\System32\cmd.exe | Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\payment.jar' | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Process created: C:\Program Files\Java\jre1.8.0_40\bin\java.exe 'C:\Program Files\Java\jre1.8.0_40\bin\java.exe' -jar C:\Users\user\.6520706727662484494.jar | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Process created: C:\Windows\System32\reg.exe reg add HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run /f /v J14bfe7e2dc5:U6c756b657461796c6f72_s /t REG_SZ /d '\'C:\Program Files\Java\jre1.8.0_40\bin\javaw.exe\' -jar \'C:\Users\user\.6520706727662484494.jar\'' | Jump to behavior |
Source: C:\Windows\explorer.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{1f486a52-3cb1-48fd-8f50-b8dc300d9f9d}\InProcServer32 | Jump to behavior |
Source: C:\Windows\explorer.exe | File opened: C:\Windows\system32\MsftEdit.dll | Jump to behavior |
Source: Window Recorder | Window detected: More than 3 window changes detected |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | File opened: C:\Program Files\Java\jre1.8.0_40\bin\msvcr100.dll | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | System information queried: KernelDebuggerInformation | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Memory protected: page read and write and page guard | Jump to behavior |
Source: C:\Windows\explorer.exe | Window / User API: threadDelayed 492 | Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3824 | Thread sleep time: -60000s >= -60000s | Jump to behavior |
Source: C:\Windows\explorer.exe TID: 3852 | Thread sleep time: -60000s >= -60000s | Jump to behavior |
Source: java.exe | Binary or memory string: %com/sun/corba/se/impl/util/SUNVMCID.classPK |
Source: java.exe | Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK |
Source: java.exe | Binary or memory string: java/lang/VirtualMachineError.classPK |
Source: java.exe | Binary or memory string: org/omg/CORBA/OMGVMCID.classPK |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\System32\cmd.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Windows\explorer.exe | Process information set: NOOPENFILEERRORBOX | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Key value queried: HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Control\TimeZoneInformation DynamicDaylightTimeDisabled | Jump to behavior |
Source: C:\Program Files\Java\jre1.8.0_40\bin\java.exe | Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid | Jump to behavior |