analyze malware
  • Huge database of samples and IOCs
  • Custom VM setup
  • Unlimited submissions
  • Interactive approach
Sign up, it’s free
File name:

11.1.jar

Full analysis: https://app.any.run/tasks/f49d869e-91ae-4c39-ba63-59bc24b5a8e9
Verdict: Malicious activity
Analysis date: February 25, 2020, 13:00:45
OS: Windows 7 Professional Service Pack 1 (build: 7601, 32 bit)
Indicators:
MIME: application/java-archive
File info: Java archive data (JAR)
MD5:

5505EC151916D81CE0B065926DFE8005

SHA1:

FFC51A2A73F0C230856BCA0BE0E3675652EF3E92

SHA256:

63D05D8545F0604EC104DFF8E07F889D1A15CCFEF10A3C65B1A7C73DF02FF8EA

SSDEEP:

6144:FQu7BUkU8Xwat1+OIiYid4yaqM4z5li2NXocOKU95SNWpw8OFHVZfWAoynHv+Edb:ZtrUmzt1ZI3mq4zPi2BRUCWpwzF1Eynl

ANY.RUN is an interactive service which provides full access to the guest system. Information in this report could be distorted by user actions and is provided for user acknowledgement as it is. ANY.RUN does not guarantee maliciousness or safety of the content.
  • MALICIOUS

    • Loads dropped or rewritten executable

      • javaw.exe (PID: 3368)
      • explorer.exe (PID: 372)
      • svchost.exe (PID: 796)
      • SearchProtocolHost.exe (PID: 3548)
    • Changes the autorun value in the registry

      • javaw.exe (PID: 3368)
    • Changes Image File Execution Options

      • reg.exe (PID: 3052)
      • reg.exe (PID: 1712)
      • reg.exe (PID: 2592)
      • reg.exe (PID: 3424)
      • reg.exe (PID: 2540)
      • reg.exe (PID: 576)
      • reg.exe (PID: 2580)
      • reg.exe (PID: 3528)
      • reg.exe (PID: 3316)
      • reg.exe (PID: 3332)
    • Application was dropped or rewritten from another process

      • javaw.exe (PID: 3368)
    • Disables Windows Defender

      • reg.exe (PID: 1836)
      • reg.exe (PID: 3848)
      • reg.exe (PID: 4040)
      • reg.exe (PID: 4068)
    • Runs app for hidden code execution

      • javaw.exe (PID: 3368)
  • SUSPICIOUS

    • Uses WMIC.EXE to obtain a list of AntiViruses

      • cmd.exe (PID: 2876)
    • Executes JAVA applets

      • explorer.exe (PID: 372)
    • Uses REG.EXE to modify Windows registry

      • cmd.exe (PID: 3220)
      • cmd.exe (PID: 3556)
      • cmd.exe (PID: 2824)
      • cmd.exe (PID: 2828)
      • cmd.exe (PID: 3044)
      • cmd.exe (PID: 3740)
      • cmd.exe (PID: 4052)
      • javaw.exe (PID: 3368)
      • cmd.exe (PID: 1352)
      • cmd.exe (PID: 3804)
      • cmd.exe (PID: 1348)
      • cmd.exe (PID: 3744)
      • cmd.exe (PID: 3872)
      • cmd.exe (PID: 3304)
      • cmd.exe (PID: 4080)
      • cmd.exe (PID: 4036)
      • cmd.exe (PID: 2660)
      • cmd.exe (PID: 3852)
      • cmd.exe (PID: 2500)
      • cmd.exe (PID: 1944)
      • cmd.exe (PID: 3588)
      • cmd.exe (PID: 1876)
      • cmd.exe (PID: 2132)
      • cmd.exe (PID: 3356)
      • cmd.exe (PID: 1888)
      • cmd.exe (PID: 2432)
      • cmd.exe (PID: 2064)
      • cmd.exe (PID: 3832)
      • cmd.exe (PID: 2740)
      • cmd.exe (PID: 2560)
      • cmd.exe (PID: 2856)
      • cmd.exe (PID: 1500)
      • cmd.exe (PID: 2424)
      • cmd.exe (PID: 1084)
      • cmd.exe (PID: 3428)
      • cmd.exe (PID: 576)
      • cmd.exe (PID: 3576)
      • cmd.exe (PID: 3472)
      • cmd.exe (PID: 4008)
      • cmd.exe (PID: 3104)
      • cmd.exe (PID: 3144)
      • cmd.exe (PID: 1136)
      • cmd.exe (PID: 3200)
      • cmd.exe (PID: 3720)
      • cmd.exe (PID: 3816)
      • cmd.exe (PID: 3284)
      • cmd.exe (PID: 2488)
      • cmd.exe (PID: 3272)
      • cmd.exe (PID: 2128)
      • cmd.exe (PID: 3296)
      • cmd.exe (PID: 3876)
      • cmd.exe (PID: 3248)
      • cmd.exe (PID: 3608)
      • cmd.exe (PID: 1740)
      • cmd.exe (PID: 3992)
      • cmd.exe (PID: 2956)
      • cmd.exe (PID: 540)
      • cmd.exe (PID: 3820)
      • cmd.exe (PID: 3484)
      • cmd.exe (PID: 2636)
      • cmd.exe (PID: 2892)
      • cmd.exe (PID: 3100)
      • cmd.exe (PID: 564)
      • cmd.exe (PID: 2056)
      • cmd.exe (PID: 3292)
      • cmd.exe (PID: 1688)
      • cmd.exe (PID: 3968)
      • cmd.exe (PID: 2072)
      • cmd.exe (PID: 2720)
      • cmd.exe (PID: 3452)
      • cmd.exe (PID: 3088)
      • cmd.exe (PID: 3840)
      • cmd.exe (PID: 3008)
      • cmd.exe (PID: 2288)
      • cmd.exe (PID: 3264)
      • cmd.exe (PID: 2772)
      • cmd.exe (PID: 3732)
      • cmd.exe (PID: 1156)
      • cmd.exe (PID: 1024)
      • cmd.exe (PID: 2732)
      • cmd.exe (PID: 2340)
      • cmd.exe (PID: 2688)
      • cmd.exe (PID: 3452)
      • cmd.exe (PID: 2724)
      • cmd.exe (PID: 3488)
      • cmd.exe (PID: 3344)
      • cmd.exe (PID: 4020)
      • cmd.exe (PID: 340)
      • cmd.exe (PID: 2436)
      • cmd.exe (PID: 2576)
      • cmd.exe (PID: 952)
      • cmd.exe (PID: 3992)
      • cmd.exe (PID: 1536)
      • cmd.exe (PID: 3924)
      • cmd.exe (PID: 3360)
      • cmd.exe (PID: 1912)
      • cmd.exe (PID: 2796)
      • cmd.exe (PID: 2436)
      • cmd.exe (PID: 3068)
      • cmd.exe (PID: 3312)
      • cmd.exe (PID: 2756)
      • cmd.exe (PID: 3040)
      • cmd.exe (PID: 2572)
      • cmd.exe (PID: 2728)
      • cmd.exe (PID: 3888)
      • cmd.exe (PID: 1256)
      • cmd.exe (PID: 660)
      • cmd.exe (PID: 3376)
      • cmd.exe (PID: 2452)
      • cmd.exe (PID: 912)
      • cmd.exe (PID: 3752)
      • cmd.exe (PID: 2940)
      • cmd.exe (PID: 1692)
      • cmd.exe (PID: 3020)
      • cmd.exe (PID: 1744)
      • cmd.exe (PID: 3076)
      • cmd.exe (PID: 3976)
      • cmd.exe (PID: 2752)
      • cmd.exe (PID: 3460)
      • cmd.exe (PID: 3972)
      • cmd.exe (PID: 2568)
      • cmd.exe (PID: 620)
      • cmd.exe (PID: 2496)
      • cmd.exe (PID: 3916)
      • cmd.exe (PID: 3384)
      • cmd.exe (PID: 2244)
      • cmd.exe (PID: 4056)
      • cmd.exe (PID: 1156)
      • cmd.exe (PID: 3580)
      • cmd.exe (PID: 1832)
      • cmd.exe (PID: 2600)
      • cmd.exe (PID: 3164)
      • cmd.exe (PID: 2348)
      • cmd.exe (PID: 1748)
      • cmd.exe (PID: 1504)
      • cmd.exe (PID: 2728)
      • cmd.exe (PID: 2120)
      • cmd.exe (PID: 4840)
      • cmd.exe (PID: 2548)
      • cmd.exe (PID: 3456)
      • cmd.exe (PID: 2484)
      • cmd.exe (PID: 2588)
      • cmd.exe (PID: 2608)
      • cmd.exe (PID: 2336)
      • cmd.exe (PID: 5552)
      • cmd.exe (PID: 5104)
      • cmd.exe (PID: 4576)
      • cmd.exe (PID: 4304)
      • cmd.exe (PID: 5124)
      • cmd.exe (PID: 5748)
      • cmd.exe (PID: 5936)
      • cmd.exe (PID: 5580)
      • cmd.exe (PID: 4684)
      • cmd.exe (PID: 5192)
      • cmd.exe (PID: 2184)
      • cmd.exe (PID: 4156)
      • cmd.exe (PID: 5544)
      • cmd.exe (PID: 6036)
      • cmd.exe (PID: 5044)
      • cmd.exe (PID: 5324)
      • cmd.exe (PID: 4972)
      • cmd.exe (PID: 2884)
      • cmd.exe (PID: 4232)
      • cmd.exe (PID: 5376)
      • cmd.exe (PID: 4484)
      • cmd.exe (PID: 5744)
      • cmd.exe (PID: 4912)
      • cmd.exe (PID: 6008)
      • cmd.exe (PID: 5128)
      • cmd.exe (PID: 4328)
      • cmd.exe (PID: 3664)
    • Uses ATTRIB.EXE to modify file attributes

      • javaw.exe (PID: 3368)
    • Searches for installed software

      • reg.exe (PID: 3872)
      • reg.exe (PID: 2692)
      • reg.exe (PID: 2988)
      • reg.exe (PID: 1488)
      • reg.exe (PID: 2356)
      • reg.exe (PID: 1488)
      • reg.exe (PID: 3884)
      • reg.exe (PID: 956)
      • reg.exe (PID: 3200)
      • reg.exe (PID: 3276)
      • reg.exe (PID: 3012)
      • reg.exe (PID: 1504)
      • reg.exe (PID: 3316)
      • reg.exe (PID: 3300)
      • reg.exe (PID: 2580)
      • reg.exe (PID: 3600)
      • reg.exe (PID: 2056)
      • reg.exe (PID: 3984)
      • reg.exe (PID: 3484)
      • reg.exe (PID: 3488)
      • reg.exe (PID: 3584)
      • reg.exe (PID: 3400)
      • reg.exe (PID: 3968)
      • reg.exe (PID: 3576)
      • reg.exe (PID: 1844)
      • reg.exe (PID: 2744)
      • reg.exe (PID: 3820)
      • reg.exe (PID: 1928)
      • reg.exe (PID: 3068)
      • reg.exe (PID: 3824)
      • reg.exe (PID: 2428)
      • reg.exe (PID: 4056)
      • reg.exe (PID: 3776)
      • reg.exe (PID: 772)
      • reg.exe (PID: 332)
      • reg.exe (PID: 2708)
      • reg.exe (PID: 2492)
      • reg.exe (PID: 3460)
      • reg.exe (PID: 3084)
      • reg.exe (PID: 3916)
      • reg.exe (PID: 2464)
      • reg.exe (PID: 2388)
      • reg.exe (PID: 3716)
      • reg.exe (PID: 2720)
      • reg.exe (PID: 2596)
      • reg.exe (PID: 3624)
      • reg.exe (PID: 1524)
      • reg.exe (PID: 3308)
      • reg.exe (PID: 2716)
      • reg.exe (PID: 4092)
      • reg.exe (PID: 1092)
      • reg.exe (PID: 3860)
      • reg.exe (PID: 2944)
      • reg.exe (PID: 272)
      • reg.exe (PID: 3308)
      • reg.exe (PID: 3756)
      • reg.exe (PID: 3100)
      • reg.exe (PID: 3960)
      • reg.exe (PID: 1692)
      • reg.exe (PID: 620)
      • reg.exe (PID: 2120)
      • reg.exe (PID: 3976)
      • reg.exe (PID: 3076)
      • reg.exe (PID: 3860)
      • reg.exe (PID: 2076)
      • reg.exe (PID: 1536)
      • reg.exe (PID: 2348)
      • reg.exe (PID: 2960)
      • reg.exe (PID: 3756)
      • reg.exe (PID: 3420)
      • reg.exe (PID: 2140)
      • reg.exe (PID: 2320)
      • reg.exe (PID: 3160)
      • reg.exe (PID: 2564)
      • reg.exe (PID: 956)
      • reg.exe (PID: 2880)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 2904)
      • reg.exe (PID: 1748)
      • reg.exe (PID: 4092)
      • reg.exe (PID: 3384)
      • reg.exe (PID: 3728)
      • reg.exe (PID: 2716)
      • reg.exe (PID: 3932)
      • reg.exe (PID: 3880)
      • reg.exe (PID: 3456)
      • reg.exe (PID: 1092)
      • reg.exe (PID: 3636)
      • reg.exe (PID: 2880)
      • reg.exe (PID: 2388)
      • reg.exe (PID: 3344)
      • reg.exe (PID: 308)
      • reg.exe (PID: 1520)
      • reg.exe (PID: 3424)
      • reg.exe (PID: 2864)
      • reg.exe (PID: 3580)
      • reg.exe (PID: 2944)
      • reg.exe (PID: 872)
      • reg.exe (PID: 2948)
      • reg.exe (PID: 1832)
      • reg.exe (PID: 772)
      • reg.exe (PID: 3972)
      • reg.exe (PID: 308)
      • reg.exe (PID: 2948)
      • reg.exe (PID: 1740)
      • reg.exe (PID: 2604)
      • reg.exe (PID: 2548)
      • reg.exe (PID: 3120)
      • reg.exe (PID: 3664)
      • reg.exe (PID: 2448)
      • reg.exe (PID: 2816)
      • reg.exe (PID: 3084)
      • reg.exe (PID: 820)
      • reg.exe (PID: 4480)
      • reg.exe (PID: 3192)
      • reg.exe (PID: 820)
      • reg.exe (PID: 3596)
      • reg.exe (PID: 5312)
      • reg.exe (PID: 5580)
      • reg.exe (PID: 4324)
      • reg.exe (PID: 6020)
      • reg.exe (PID: 5176)
      • reg.exe (PID: 5568)
      • reg.exe (PID: 6036)
      • reg.exe (PID: 2872)
      • reg.exe (PID: 2076)
      • reg.exe (PID: 5140)
      • reg.exe (PID: 6020)
      • reg.exe (PID: 5184)
      • reg.exe (PID: 3792)
      • reg.exe (PID: 5484)
      • reg.exe (PID: 4428)
      • reg.exe (PID: 4580)
      • reg.exe (PID: 4792)
      • reg.exe (PID: 5684)
      • reg.exe (PID: 4632)
      • reg.exe (PID: 5564)
      • reg.exe (PID: 4168)
      • reg.exe (PID: 4580)
      • reg.exe (PID: 5876)
    • Creates files in the user directory

      • javaw.exe (PID: 3368)
    • Writes to a desktop.ini file (may be used to cloak folders)

      • javaw.exe (PID: 3368)
    • Executable content was dropped or overwritten

      • javaw.exe (PID: 3368)
    • Uses WMIC.EXE to obtain a list of Firewalls

      • cmd.exe (PID: 2836)
    • Uses WMIC.EXE to obtain a system information

      • cmd.exe (PID: 2836)
      • cmd.exe (PID: 2876)
      • cmd.exe (PID: 3800)
    • Connects to unusual port

      • javaw.exe (PID: 3368)
    • Uses TASKKILL.EXE to kill process

      • javaw.exe (PID: 3368)
    • Starts CMD.EXE for commands execution

      • javaw.exe (PID: 3368)
  • INFO

    No info indicators.
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
No Malware configuration.

TRiD

.zip | ZIP compressed archive (100)

EXIF

ZIP

ZipFileName: META-INF/MANIFEST.MF
ZipUncompressedSize: 512
ZipCompressedSize: 395
ZipCRC: 0x8af85fba
ZipModifyDate: 2020:02:25 19:51:23
ZipCompression: Deflated
ZipBitFlag: 0x0808
ZipRequiredVersion: 20
No data.
screenshotscreenshot
All screenshots are available in the full report
All screenshots are available in the full report
Total processes
652
Monitored processes
386
Malicious processes
5
Suspicious processes
14

Behavior graph

Click at the process to see the details
start javaw.exe cmd.exe no specs wmic.exe no specs cmd.exe no specs wmic.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs attrib.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs cmd.exe no specs reg.exe no specs wmic.exe no specs cmd.exe no specs taskkill.exe reg.exe reg.exe reg.exe no specs cmd.exe no specs svchost.exe no specs explorer.exe no specs searchprotocolhost.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe reg.exe cmd.exe no specs reg.exe no specs cmd.exe no specs taskkill.exe reg.exe no specs cmd.exe no specs reg.exe reg.exe reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe taskkill.exe reg.exe reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe reg.exe reg.exe no specs cmd.exe no specs taskkill.exe reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe cmd.exe no specs reg.exe no specs reg.exe cmd.exe no specs reg.exe no specs taskkill.exe cmd.exe no specs reg.exe no specs reg.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs reg.exe cmd.exe no specs reg.exe no specs cmd.exe no specs taskkill.exe reg.exe no specs reg.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs taskkill.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs taskkill.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs taskkill.exe reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs taskkill.exe cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs reg.exe no specs cmd.exe no specs

Process information

PID
CMD
Path
Indicators
Parent process
3368"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe" -jar "C:\Users\admin\AppData\Local\Temp\11.1.jar.zip"C:\Program Files\Java\jre1.8.0_92\bin\javaw.exe
explorer.exe
User:
admin
Company:
Oracle Corporation
Integrity Level:
MEDIUM
Description:
Java(TM) Platform SE binary
Version:
8.0.920.14
2876cmd.exeC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
548WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:ListC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2836cmd.exeC:\Windows\system32\cmd.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Windows Command Processor
Version:
6.1.7601.17514 (win7sp1_rtm.101119-1850)
1332WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:ListC:\Windows\System32\Wbem\WMIC.execmd.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
WMI Commandline Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2856attrib +h C:\Users\admin\OracleC:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2788attrib +h +r +s C:\Users\admin\.ntusernt.iniC:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
4012attrib -s -r C:\Users\admin\IueMc\Desktop.iniC:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2748attrib +s +r C:\Users\admin\IueMc\Desktop.iniC:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
2516attrib -s -r C:\Users\admin\IueMcC:\Windows\system32\attrib.exejavaw.exe
User:
admin
Company:
Microsoft Corporation
Integrity Level:
MEDIUM
Description:
Attribute Utility
Exit code:
0
Version:
6.1.7600.16385 (win7_rtm.090713-1255)
Total events
2 284
Read events
2 245
Write events
39
Delete events
0

Modification events

(PID) Process:(3548) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(3548) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@C:\Windows\System32\ieframe.dll,-912
Value:
HTML Document
(PID) Process:(3548) SearchProtocolHost.exeKey:HKEY_USERS\.DEFAULT\Software\Classes\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@C:\Windows\system32\notepad.exe,-469
Value:
Text Document
(PID) Process:(372) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:LanguageList
Value:
en-US
(PID) Process:(372) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@C:\Windows\System32\display.dll,-4
Value:
S&creen resolution
(PID) Process:(372) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@C:\Program Files\Windows Sidebar\sidebar.exe,-11100
Value:
&Gadgets
(PID) Process:(372) explorer.exeKey:HKEY_CLASSES_ROOT\Local Settings\MuiCache\12B\52C64B7E
Operation:writeName:@C:\Windows\system32\themecpl.dll,-10
Value:
Pe&rsonalize
(PID) Process:(3368) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce
Operation:writeName:ZlUNqYe
Value:
"C:\Users\admin\Oracle\bin\javaw.exe" -jar "C:\Users\admin\IueMc\tIKhw.class.txt"
(PID) Process:(3368) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
Operation:writeName:ZlUNqYe
Value:
"C:\Users\admin\Oracle\bin\javaw.exe" -jar "C:\Users\admin\IueMc\tIKhw.class.txt"
(PID) Process:(3368) javaw.exeKey:HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap
Operation:writeName:UNCAsIntranet
Value:
0
Executable files
108
Suspicious files
10
Text files
65
Unknown types
15

Dropped files

PID
Process
Filename
Type
3368javaw.exeC:\Users\admin\Oracle\bin\client\classes.jsa
MD5:
SHA256:
3368javaw.exeC:\Users\admin\.oracle_jre_usage\90737d32e3abaa4.timestamptext
MD5:D7E7A1E50F3B7FD60BFD7D33B3CB1394
SHA256:B86426B8484D329FFB09A07F7F53E6EBCEC26798A3ED654EFB2D8F9035D90C18
3368javaw.exeC:\Users\admin\Oracle\bin\hprof.dllexecutable
MD5:9449E99B7E7C8A9ED74AC6B8E1AB0EB9
SHA256:CC82BEAA275F4ED4C33B694154BEBC5FD097ADA50072201D250AED3F269A41B6
3368javaw.exeC:\Users\admin\Oracle\bin\glib-lite.dllexecutable
MD5:7AB8AFD789E45C2D08CBC3233DAEC0BF
SHA256:465541EF4E9337108B375984C23F5D31E6C060FED16820BB9BC5AF79A2109EAC
3368javaw.exeC:\Users\admin\Oracle\bin\dtplugin\npdeployJava1.dllexecutable
MD5:D73A1252502A5F6218C916219B52139D
SHA256:62248D7AB742E200996BF87433B4E8478E4D8BCFBC0A2EE7CBE3A5A62F6268C3
3368javaw.exeC:\Users\admin\Oracle\bin\gstreamer-lite.dllexecutable
MD5:28D020770921DEF13B9A8755FEADF8E9
SHA256:379A14D561AFEB364F8902C0B5193DA229882C6273F2793339E1AD682AF516F4
3368javaw.exeC:\Users\admin\Oracle\bin\awt.dllexecutable
MD5:775D4B37E0DDBFA0EB56DB38126FB444
SHA256:E5D4FC7D47A38A389884AF1EA5F06F7C61C5CDE6AFC154A23A3CB5A127DA1E34
3368javaw.exeC:\Users\admin\Oracle\bin\glass.dllexecutable
MD5:BE9D67DFFCC06D2073831F5D8CDE2DC0
SHA256:A92DF0E1F93E29FAE427DA766D9B91BDA4B421E6AB86AEB9CDD060B218028D35
3368javaw.exeC:\Users\admin\Oracle\bin\deploy.dllexecutable
MD5:720EDC1469525DFCD3AE211E653D0241
SHA256:BFF79FB05667992CC2BDA9BAE6E5A301BAF553042F952203641CCD7E1FC4552D
3368javaw.exeC:\Users\admin\Oracle\bin\dt_shmem.dllexecutable
MD5:0744E6A5145AA945D89A16EAC835FAB2
SHA256:C417390F681276EC0D55D81A91B87EAE75CA245045F5C23E9B43550B708FB1A6
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
0
TCP/UDP connections
1
DNS requests
1
Threats
0

HTTP requests

No HTTP requests
Download PCAP, analyze network streams, HTTP content and a lot more at the full report

Connections

PID
Process
IP
Domain
ASN
CN
Reputation
3368
javaw.exe
118.100.66.100:4424
dman20.ddns.net
TM Net, Internet Service Provider
MY
unknown

DNS requests

Domain
IP
Reputation
dman20.ddns.net
  • 118.100.66.100
unknown

Threats

PID
Process
Class
Message
Potentially Bad Traffic
ET POLICY DNS Query to DynDNS Domain *.ddns .net
No debug info