Sample File: MD5 hash: df6fc309f66b3cdb33a8fd183343a610 SHA1 hash: be9e3ae27e19694034f0f7ae81b162befd61689c SHA256 hash: fd86a9b0f3bcd1dc2b061bb7a77b3871cb6d101505218f763221ee9945e69bf3 SSDEEP hash: 12288:uaVkKWNQXHKobX++/y8rzRZ+otjI+qc+gMNYCEgYjsGGjOXbwlQoMxEVuXLN:5zFfX+Irr+ISc+gh/gY5wla/LN Filename(s): Bissell New PO.qrypted.jar Filetype: Java Archive Mutex IOCs: - None - Registry Key IOCs: HKEY_CLASSES_ROOT\.vbs HKEY_CLASSES_ROOT\VBSFile\ScriptEngine HKEY_CURRENT_USER\Control Panel\Desktop HKEY_CURRENT_USER\Control Panel\Desktop\WindowMetrics HKEY_CURRENT_USER\Software\Microsoft\Command Processor HKEY_CURRENT_USER\Software\Microsoft\Windows Script Host\Settings HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Shell Folders HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32 HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\comdlg32\PlacesBar HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\ThemeManager HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\System HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows HKEY_LOCAL_MACHINE\Software\Microsoft\Command Processor HKEY_LOCAL_MACHINE\Software\Microsoft\Wbem\Scripting HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\FontSubstitutes HKEY_LOCAL_MACHINE\Software\Microsoft\Windows Script Host\Settings Domain IOCs: zgw5tdpu IP IOCs: 185.227.83.34 URL IOCs: - None - File IOCs: Filenames: C:\Program Files\Java\jre7\bin\awt.dll C:\Program Files\Java\jre7\bin\java C:\Program Files\Java\jre7\bin\java.exe C:\Program Files\Java\jre7\bin\management.dll C:\Program Files\Java\jre7\bin\net.dll C:\Program Files\Java\jre7\bin\nio.dll C:\Program Files\Java\jre7\bin\sunec.dll C:\Program Files\Java\jre7\bin\zip.dll C:\Program Files\Java\jre7\classes C:\Program Files\Java\jre7\lib C:\Program Files\Java\jre7\lib\accessibility.properties C:\Program Files\Java\jre7\lib\charsets.jar C:\Program Files\Java\jre7\lib\ext C:\Program Files\Java\jre7\lib\ext\access-bridge.jar C:\Program Files\Java\jre7\lib\ext\dnsns.jar C:\Program Files\Java\jre7\lib\ext\jaccess.jar C:\Program Files\Java\jre7\lib\ext\localedata.jar C:\Program Files\Java\jre7\lib\ext\meta-index C:\Program Files\Java\jre7\lib\ext\sunec.jar C:\Program Files\Java\jre7\lib\ext\sunjce_provider.jar C:\Program Files\Java\jre7\lib\ext\sunmscapi.jar C:\Program Files\Java\jre7\lib\ext\sunpkcs11.jar C:\Program Files\Java\jre7\lib\ext\zipfs.jar C:\Program Files\Java\jre7\lib\jaxp.properties C:\Program Files\Java\jre7\lib\jce.jar C:\Program Files\Java\jre7\lib\jfr.jar C:\Program Files\Java\jre7\lib\jsse.jar C:\Program Files\Java\jre7\lib\management\usagetracker.properties C:\Program Files\Java\jre7\lib\meta-index C:\Program Files\Java\jre7\lib\resources.jar C:\Program Files\Java\jre7\lib\rt.jar C:\Program Files\Java\jre7\lib\security\US_export_policy.jar C:\Program Files\Java\jre7\lib\security\java.security C:\Program Files\Java\jre7\lib\security\local_policy.jar C:\Program Files\Java\jre7\lib\sunrsasign.jar C:\Program Files\Java\jre7\lib\swing.properties C:\Program Files\Java\jre7\meta-index C:\Program%20Files\Java\jre7\lib\ext\sunec.dll C:\Program%20Files\Java\jre7\lib\ext\x86\sunec.dll C:\Users\2XC7U6~1\AppData\Local\Temp C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1162148989861803484.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1360789152958718586.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive1625750400979200631.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive2955724691501239824.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3009091646390096651.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3068316261550961408.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive3549377093237930864.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive4432003530389164433.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive466295784543991919.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive5186310507301951599.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive7366168634408503799.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\Retrive8453022226677560905.vbs C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc\3928 C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc\4024 C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc\656 C:\Users\2XC7U6~1\AppData\Local\Temp\\hsperfdata_2XC7u663GxWc\860 C:\Users\2XC7U6~1\AppData\Local\Temp\_0.080316539076114361006181509658991106.class C:\Users\2XC7U6~1\AppData\Local\Temp\_0.77866636596601243045465905282659207.class C:\Users\2XC7U6~1\AppData\Local\Temp\_0.98963488192277293018538009244777557.class C:\Users\2XC7U6~1\Desktop\Bissell New PO.qrypted.jar C:\Users\2XC7u663GxWc\.accessibility.properties C:\Users\2XC7u663GxWc\AppData\Local\Temp\_0.080316539076114361006181509658991106.class C:\Users\2XC7u663GxWc\AppData\Local\Temp\_0.77866636596601243045465905282659207.class C:\Users\2XC7u663GxWc\AppData\Local\Temp\_0.98963488192277293018538009244777557.class C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\awt.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\client\classes.jsa C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\java C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\java.exe C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\javaw.exe C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\management.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\msvcr100.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\net.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\nio.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\sunec.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\sunmscapi.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\bin\zip.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\classes C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\accessibility.properties C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\charsets.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\endorsed C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\access-bridge.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\dnsns.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\jaccess.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\localedata.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\meta-index C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunec.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunec.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunmscapi.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunmscapi.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\sunpkcs11.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\x86\sunec.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\x86\sunmscapi.dll C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\ext\zipfs.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\i386\jvm.cfg C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\jaxp.properties C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\jce.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\jfr.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\jsse.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\management\usagetracker.properties C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\meta-index C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\net.properties C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\resources.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\rt.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\security\US_export_policy.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\security\java.security C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\security\local_policy.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\sunrsasign.jar C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\lib\swing.properties C:\Users\2XC7u663GxWc\AppData\Roaming\Oracle\meta-index C:\Users\2XC7u663GxWc\Desktop C:\Users\2XC7u663GxWc\Desktop\Bissell New PO.qrypted.jar C:\Users\2XC7u663GxWc\cqsFQOTqbmg C:\Users\2XC7u663GxWc\cqsFQOTqbmg\ID.txt C:\Users\2XC7u663GxWc\cqsFQOTqbmg\nccJQMiokAP C:\Users\2XC7u663GxWc\cqsFQOTqbmg\zoIZCxYZMIr.EAMkwm C:\Users\2XC7u663GxWc\fUTkALeaTxM C:\Users\2XC7u663GxWc\fUTkALeaTxM\DdWDtpinxpf C:\Users\2XC7u663GxWc\fUTkALeaTxM\ID.txt C:\Windows\Sun\Java\lib\ext C:\Windows\Sun\Java\lib\ext\meta-index C:\Windows\System32\test.txt C:\Windows\system32 \etc\release cscript.exe MD5 hashes: 3bdfd33017806b85949b6faa7d4b98e4 473d5ea6460d84e1c44532bf39d48eb7 781fb531354d6f291f1ccab48da6d39f 9b201b1dd02cb80825eeb818b96627f3 a32c109297ed1ca155598cd295c26611 df6fc309f66b3cdb33a8fd183343a610 fcd6bcb56c1689fcef28b57c22475bad SHA1 hashes: 1adc95bebe9eea8c112d40cd04ab7a8d75c4f961 2bd36111bde69244396c5fb8539c89b714b2e6a5 9ce4518ebcb5be6d1f0b5477fa00c26860fe9a68 be9e3ae27e19694034f0f7ae81b162befd61689c c760d009877410051d803f625211fd027445d1c8 dc4a1fdbaad15ddd6fe22d3907c6b03727b71510 f92844fee69ef98db6e68931adfaa9a0a0f8ce66 SHA256 hashes: 45bfe34aa3ef932f75101246eb53d032f5e7cf6d1f5b4e495334955a255f32e7 97d585b6aff62fb4e43e7e6a5f816dcd7a14be11a88b109a9ba9e8cd4c456eb9 9da575dd2d5b7c1e9bab8b51a16cde457b3371c6dcdb0537356cf1497fa868f6 9f32e41ce1b7a69787cd3886274f9e8c8a910607a0687b3d3cf965cef60d2109 d56585c6039877175e2ebe7a32e04e7c98e947f55839e8cf0e3abc6d06ebb790 de2f256064a0af797747c2b97505dc0b9f3df0de4f489eac731c23ae9ca9cc31 fd86a9b0f3bcd1dc2b061bb7a77b3871cb6d101505218f763221ee9945e69bf3 SSDEEP hashes: 12288:uaVkKWNQXHKobX++/y8rzRZ+otjI+qc+gMNYCEgYjsGGjOXbwlQoMxEVuXLN:5zFfX+Irr+ISc+gh/gY5wla/LN 3:: 3:YwwAHMaHM3+bIx74Re:YwwAHfHIxsRe 3:YwwAHWKIDdIRRKu9hASMi:YwwAHWKIDdsEKhv 6144:WI5pxUZ7Gvi8ulm+yV/rIF0/MO2qnan1J7pXESN6U:J5pxAGqNkrIq/MO2qnA 6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn 6:jpxiFtqvAAT+geD5NaqZxLMTrLavbx3laDH6djsyn:vmtqvAndZFcrG9lpjsyn