Loading ...

Play interactive tourEdit tour

Analysis Report Shippinginfo.jar

Overview

General Information

Joe Sandbox Version:28.0.0 Lapis Lazuli
Analysis ID:201036
Start date:14.01.2020
Start time:23:28:06
Joe Sandbox Product:CloudBasic
Overall analysis duration:0h 19m 37s
Hypervisor based Inspection enabled:false
Report type:full
Sample file name:Shippinginfo.jar
Cookbook file name:defaultwindowsfilecookbook.jbs
Analysis system description:Windows 10 64 bit (version 1803) with Office 2016, Adobe Reader DC 19, Chrome 70, Firefox 63, Java 8.171, Flash 30.0.0.113
Number of analysed new started processes analysed:41
Number of new started drivers analysed:0
Number of existing processes analysed:0
Number of existing drivers analysed:0
Number of injected processes analysed:0
Technologies:
  • HCA enabled
  • EGA enabled
  • HDC enabled
  • GSI enabled (Java)
  • AMSI enabled
Analysis stop reason:Timeout
Detection:MAL
Classification:mal88.troj.expl.evad.winJAR@63/40@77/1
EGA Information:Failed
HDC Information:Failed
HCA Information:Failed
Cookbook Comments:
  • Adjust boot time
  • Enable AMSI
  • Found application associated with file extension: .jar
Warnings:
Show All
  • Exclude process from analysis (whitelisted): conhost.exe, CompatTelRunner.exe
  • Excluded IPs from analysis (whitelisted): 52.109.76.33, 52.109.120.23, 205.185.216.10, 205.185.216.42, 92.122.213.201, 92.122.213.217, 51.143.111.7, 52.109.88.38
  • Excluded domains from analysis (whitelisted): umwatson.trafficmanager.net, prod-w.nexus.live.com.akadns.net, 2-01-3cf7-0009.cdx.cedexis.net, nexus.officeapps.live.com, download.windowsupdate.com, cds.d2s7q6s2.hwcdn.net, a767.dspw65.akamai.net, watson.telemetry.microsoft.com, download.windowsupdate.com.edgesuite.net
  • Execution Graph export aborted for target java.exe, PID 5264 because there are no executed function
  • Execution Graph export aborted for target javaw.exe, PID 3964 because there are no executed function
  • Execution Graph export aborted for target javaw.exe, PID 4908 because there are no executed function
  • Execution Graph export aborted for target javaw.exe, PID 948 because there are no executed function
  • Report size exceeded maximum capacity and may have missing behavior information.
  • Report size getting too big, too many NtAllocateVirtualMemory calls found.
  • Report size getting too big, too many NtDeviceIoControlFile calls found.
  • Report size getting too big, too many NtOpenKeyEx calls found.
  • Report size getting too big, too many NtQueryValueKey calls found.
  • Report size getting too big, too many NtReadFile calls found.
  • Report size getting too big, too many NtSetInformationFile calls found.

Detection

StrategyScoreRangeReportingWhitelistedDetection
Threshold880 - 100falsemalicious

Confidence

StrategyScoreRangeFurther Analysis Required?Confidence
Threshold50 - 5false
ConfidenceConfidence


Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox
Sample may offer command line options, please run it with the 'Execute binary with arguments' cookbook (it's possible that the command line switches require additional characters like: "-", "/", "--")



Mitre Att&ck Matrix

Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
Valid AccountsWindows Management Instrumentation1File System Permissions Weakness1File System Permissions Weakness1Masquerading21Credential DumpingProcess Discovery1Application Deployment SoftwareData from Local SystemData Encrypted1Standard Cryptographic Protocol1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
Replication Through Removable MediaCommand-Line Interface12Registry Run Keys / Startup Folder11Process Injection12Disabling Security Tools1Network SniffingSecurity Software Discovery11Remote ServicesData from Removable MediaExfiltration Over Other Network MediumStandard Non-Application Layer Protocol1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
External Remote ServicesExploitation for Client Execution2Accessibility FeaturesPath InterceptionTimestomp1Input CaptureRemote System Discovery1Windows Remote ManagementData from Network Shared DriveAutomated ExfiltrationStandard Application Layer Protocol11Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
Drive-by CompromiseScheduled TaskSystem FirmwareDLL Search Order HijackingProcess Injection12Credentials in FilesFile and Directory Discovery1Logon ScriptsInput CaptureData EncryptedMultiband CommunicationSIM Card SwapPremium SMS Toll Fraud
Exploit Public-Facing ApplicationCommand-Line InterfaceShortcut ModificationFile System Permissions WeaknessFile Deletion1Account ManipulationSystem Information Discovery2Shared WebrootData StagedScheduled TransferStandard Cryptographic ProtocolManipulate Device CommunicationManipulate App Store Rankings or Ratings
Spearphishing LinkGraphical User InterfaceModify Existing ServiceNew ServiceObfuscated Files or Information1Brute ForceSystem Owner/User DiscoveryThird-party SoftwareScreen CaptureData Transfer Size LimitsCommonly Used PortJamming or Denial of ServiceAbuse Accessibility Features
Spearphishing AttachmentScriptingPath InterceptionScheduled TaskDLL Side-Loading1Two-Factor Authentication InterceptionNetwork SniffingPass the HashEmail CollectionExfiltration Over Command and Control ChannelUncommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact

Signature Overview

Click to jump to signature section


AV Detection:

barindex
Multi AV Scanner detection for submitted fileShow sources
Source: Shippinginfo.jarVirustotal: Detection: 36%Perma Link
Machine Learning detection for dropped fileShow sources
Source: C:\Users\user\Oracle\bin\plugin2\msvcr100.dllJoe Sandbox ML: detected

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exeJump to behavior

Networking:

barindex
Uses dynamic DNS servicesShow sources
Source: unknownDNS query: name: ssgwire.duckdns.org
IP address seen in connection with other malwareShow sources
Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
Source: Joe Sandbox ViewIP Address: 192.169.69.25 192.169.69.25
Internet Provider seen in connection with other malwareShow sources
Source: Joe Sandbox ViewASN Name: unknown unknown
Performs DNS lookupsShow sources
Source: unknownDNS traffic detected: queries for: ssgwire.duckdns.org
Urls found in memory or binary dataShow sources
Source: java.exe, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/#
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/3
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/allow-java-encodings#
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/allow-java-encodings.org/9
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/allow-java-encodings9
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errorc
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errordom/cur=
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-errorr
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodes:
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodesK
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodess
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl;
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes?
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace3e
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespaceK
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationss
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsss-9
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsx
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations;
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsom/DOMT;
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/include-comments
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/include-comments0
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/include-commentsX
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/internal/parser-settings-7
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/parser-settings;
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/parser-settingsKU
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesO
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesignorO
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only#
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlyh
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/m3
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/namespace-growthC
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/namespace-growtha
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdcP
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs/Runti7
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsC
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsKO
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs/3
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs3
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotations0x
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotationsc
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotationscm
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6183073591.0000000015199000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: java.exe, 00000002.00000002.6183073591.0000000015199000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees1
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesC
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesna1
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treessr
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6183073591.0000000015199000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659019860.0000000015558000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/dynamicinterna
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/dynamick
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingk
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psviK
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvirHa
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultA
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultS
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultSj
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value#
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valuedom/NodB
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema3
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schemaC
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef/Text
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef:
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefrefi:
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydefemoveC
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris#d
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris;
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-urisO6
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uriskp
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language#z
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: javaw.exeString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-languageTT;
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-languagek
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude1
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xincludes
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node9
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/current-element-nodeF
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/document-class-namec
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/input-buffer-sizeK
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/input-buffer-sizenent
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factorydeNS:
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner8
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver5
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver7
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver;
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-handlerk
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter#
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-reporterk
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool#
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pools
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-binderC
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
Source: java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: java.exeString found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolveriz=
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factoryK
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factoryS
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factoryta7
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtdE:
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtdkt
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/schema;L
Source: javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/schemaWith
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/schemas
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handlertClass9
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/k
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/locale
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/localeJ
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/localek
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/localetJ
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: java.exe, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation(
Source: javaw.exeString found in binary or memory: http://apache.org/xml/properties/security-manager
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/security-manager8
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: javaw.exe, 00000020.00000003.4678308616.000000001551A000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesor
Source: java.exe, 00000002.00000002.6177868347.0000000009FBC000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6207298157.000000006CD54000.00000002.00020000.sdmp, javaw.exe, 0000001F.00000002.6194046740.0000000009B82000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6225414293.000000006CD54000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6214555731.000000000A582000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 0000001F.00000002.6207298157.000000006CD54000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6225414293.000000006CD54000.00000002.00020000.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4633121966.0000000014C14000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: java.exe, 00000002.00000002.6177911179.0000000009FC9000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6207298157.000000006CD54000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6214582429.000000000A586000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
Source: javaw.exeString found in binary or memory: http://java.sun.com/dtd/properties.dtd
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtd#r
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtdk~
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/#v
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/dom/properties/I(
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkc
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checker;
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/k
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/c
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguageT
Source: java.exe, java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource7
Source: javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSourceh
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSourcep
Source: javaw.exe, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/C
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace0
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/C
Source: java.exe, 00000002.00000003.4511354264.00000000153E2000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: java.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtdanu
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateassNotF
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-states
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: javaw.exeString found in binary or memory: http://java.sun.com/xml/stream/properties/tStreaA
Source: javaw.exeString found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processingsQ
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/
Source: javaw.exeString found in binary or memory: http://javax.xml.XMLConstants/property//3
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/3
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/;
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: javaw.exeString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: javaw.exeString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
Source: javaw.exe, javaw.exe, 00000020.00000002.6214582429.000000000A586000.00000004.00000001.sdmpString found in binary or memory: http://null.oracle.com/
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpString found in binary or memory: http://openjdk.java.net/jeps/220).
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/feature/use-service-mechanismS
Source: javaw.exeString found in binary or memory: http://www.oracle.com/feature/use-service-mechanismutil/
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpString found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpString found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/C:
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4678308616.000000001551A000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/#
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/3
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659019860.0000000015558000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitSR
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit1D
Source: javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimitZ
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfoS
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfoes/i
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659019860.0000000015558000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimitK
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659019860.0000000015558000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitE
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitcb
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659019860.0000000015558000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit9
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitC
Source: javaw.exe, 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitkS
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimitS
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimitSY
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit3
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimitk
Source: javaw.exeString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/;
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDDOCUMEN=
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDk
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/c
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/external-general-entitiescum7
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes(
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixesK
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/namespace-prefixesng(
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/namespaces
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces&
Source: java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespacesC
Source: javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespacesST
Source: javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4678308616.000000001551A000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/til/
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000003.4789946913.0000000014B23000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659733359.000000001552E000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exeString found in binary or memory: http://xml.org/sax/features/validation
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/properties/
Source: javaw.exeString found in binary or memory: http://xml.org/sax/properties/ar(
Source: java.exe, 00000002.00000002.6170153288.0000000000C05000.00000004.00000001.sdmp, java.exe, 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6201590664.0000000015080000.00000004.00000001.sdmp, javaw.exe, 00000020.00000003.4659222891.0000000015612000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/properties/xml-string
Source: java.exe, 00000002.00000002.6178021044.000000000A01D000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6194243501.0000000009C1F000.00000004.00000001.sdmp, javaw.exe, 00000020.00000002.6214850799.000000000A61F000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0

System Summary:

barindex
Creates files inside the system directoryShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Windows\SysWOW64\IbeFwJump to behavior
Deletes files inside the Windows folderShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile deleted: C:\Windows\SysWOW64\IbeFwJump to behavior
Detected potential crypto functionShow sources
Source: C:\Users\user\Oracle\bin\javaw.exeCode function: 31_3_14B27DE431_3_14B27DE4
PE file does not import any functionsShow sources
Source: api-ms-win-core-console-l1-1-0.dll.2.drStatic PE information: No import functions for PE file found
Classification labelShow sources
Source: classification engineClassification label: mal88.troj.expl.evad.winJAR@63/40@77/1
Creates files inside the user directoryShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-58933367-3072710494-194312298-1002\83aa4cc77f591dfc2374580bbd95f6ba_59407d34-c8c5-44df-a766-ba8a11cb1cb0Jump to behavior
Creates mutexesShow sources
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5980:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5432:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5996:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4468:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5916:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6136:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5552:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5828:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5132:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5892:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5228:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5788:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5332:120:WilError_01
Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5632:120:WilError_01
Creates temporary filesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user~1\AppData\Local\Temp\hsperfdata_userJump to behavior
Executable is probably coded in javaShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_171\bin\client\jvm.dllJump to behavior
Reads software policiesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiersJump to behavior
Reads the hosts fileShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hostsJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Oracle\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Oracle\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Source: C:\Users\user\Oracle\bin\javaw.exeFile read: C:\Windows\System32\drivers\etc\hosts
Sample is known by AntivirusShow sources
Source: Shippinginfo.jarVirustotal: Detection: 36%
Sample might require command line argumentsShow sources
Source: java.exeString found in binary or memory: p.in-addr.arpa
Source: java.exeString found in binary or memory: nonvalidating/load-dtd-grammar
Source: java.exeString found in binary or memory: Knonvalidating/load-external-dtd
Source: java.exeString found in binary or memory: -addProvider
Source: javaw.exeString found in binary or memory: PiExtension-Installation
Source: javaw.exeString found in binary or memory: sun/launcher/LauncherHelper
Source: javaw.exeString found in binary or memory: m[Lsun/launcher/LauncherHelper;
Source: javaw.exeString found in binary or memory: d(Ljava/lang/String;)Lsun/launcher/LauncherHelper;
Source: javaw.exeString found in binary or memory: m(Ljava/util/List<Lsun/launcher/LauncherHelper$StdArg;>;)[Ljava/lang/String;
Source: javaw.exeString found in binary or memory: sun/launcher/LauncherHelper$StdArg
Source: javaw.exeString found in binary or memory: Msun/launcher/LauncherHelper$FXHelper
Source: javaw.exeString found in binary or memory: sun/launcher/LauncherHelper$SizePrefix
Source: javaw.exeString found in binary or memory: N{GTsun/launcher/LauncherHelper$ResourceBundleHolder&
Source: javaw.exeString found in binary or memory: &Ljava/lang/Enum<Lsun/launcher/LauncherHelper;>;
Source: javaw.exeString found in binary or memory: >\Lsun/launcher/LauncherHelper;
Source: javaw.exeString found in binary or memory: }hM()[Lsun/launcher/LauncherHelper;'
Source: javaw.exeString found in binary or memory: -addSNIExtension
Source: javaw.exeString found in binary or memory: sun/launcher/LauncherHelper
Source: javaw.exeString found in binary or memory: -help
Spawns processesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Shippinginfo.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Shippinginfo.jar'
Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h 'C:\Users\user\Oracle'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +r +s 'C:\Users\user\.ntusernt.ini'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe attrib -s -r 'C:\Users\user\PDeRD\Desktop.ini'
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe attrib +s +r 'C:\Users\user\PDeRD\Desktop.ini'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe attrib -s -r 'C:\Users\user\PDeRD'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe attrib +s +r 'C:\Users\user\PDeRD'
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h 'C:\Users\user\PDeRD'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +s +r 'C:\Users\user\PDeRD\VONrc.class'
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Users\user\Oracle\bin\javaw.exe 'C:\Users\user\Oracle\bin\javaw.exe' -jar 'C:\Users\user\PDeRD\VONrc.class'
Source: unknownProcess created: C:\Users\user\Oracle\bin\javaw.exe 'C:\Users\user\Oracle\bin\javaw.exe' -jar 'C:\Users\user\PDeRD\VONrc.class'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: unknownProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0x4
Source: unknownProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
Source: unknownProcess created: C:\Users\user\Oracle\bin\javaw.exe 'C:\Users\user\Oracle\bin\javaw.exe' -jar 'C:\Users\user\PDeRD\VONrc.class'
Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Shippinginfo.jar' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h 'C:\Users\user\Oracle'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +r +s 'C:\Users\user\.ntusernt.ini'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -s -r 'C:\Users\user\PDeRD\Desktop.ini'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +s +r 'C:\Users\user\PDeRD\Desktop.ini'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -s -r 'C:\Users\user\PDeRD'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +s +r 'C:\Users\user\PDeRD'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h 'C:\Users\user\PDeRD'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +s +r 'C:\Users\user\PDeRD\VONrc.class'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:ListJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:ListJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
Uses an in-process (OLE) Automation serverShow sources
Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32Jump to behavior
Writes ini filesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile written: C:\Users\user\.ntusernt.iniJump to behavior
Uses new MSVCR DllsShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_171\bin\msvcr100.dllJump to behavior
Binary contains paths to debug symbolsShow sources
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libmanagement\management.pdb source: javaw.exe, 0000001F.00000002.6209006254.000000006ECD4000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6227426245.000000006ECD4000.00000002.00020000.sdmp
Source: Binary string: msvcr100.i386.pdb source: javaw.exe, 0000001F.00000002.6208656600.000000006D151000.00000020.00020000.sdmp, javaw.exe, 00000020.00000002.6226915386.000000006D151000.00000020.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libnio\nio.pdbyc source: javaw.exe, 0000001F.00000002.6209116818.000000006F177000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6227531157.000000006F177000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libzip\zip.pdb source: javaw.exe, 0000001F.00000002.6209287121.000000006F86B000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6227751714.000000006F86B000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libnio\nio.pdb source: javaw.exe, 0000001F.00000002.6209116818.000000006F177000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6227531157.000000006F177000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libsunec\sunec.pdb source: javaw.exe, 0000001F.00000002.6209199004.000000006F813000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6227642936.000000006F813000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libawt\awt.pdb8^ source: javaw.exe, 0000001F.00000002.6206772093.000000006CC89000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6224967617.000000006CC89000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libzip\zip.pdbI source: javaw.exe, 0000001F.00000002.6209287121.000000006F86B000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6227751714.000000006F86B000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libjava\java.pdb source: javaw.exe, 0000001F.00000002.6207298157.000000006CD54000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6225414293.000000006CD54000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libnet\net.pdbY source: javaw.exe, 0000001F.00000002.6207167217.000000006CD2D000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libnet\net.pdb source: javaw.exe, 0000001F.00000002.6207167217.000000006CD2D000.00000002.00020000.sdmp
Source: Binary string: C:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libjava\java.pdbG* source: javaw.exe, 0000001F.00000002.6207298157.000000006CD54000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6225414293.000000006CD54000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libsunmscapi\sunmscapi.pdbi/ source: javaw.exe, 0000001F.00000002.6206325746.000000006CB34000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6224508780.000000006CB34000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libverify\verify.pdb source: javaw.exe, 0000001F.00000002.6209381508.000000006F886000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6227874734.000000006F886000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libawt\awt.pdb source: javaw.exe, 0000001F.00000002.6206772093.000000006CC89000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6224967617.000000006CC89000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\libsunmscapi\sunmscapi.pdb source: javaw.exe, 0000001F.00000002.6206325746.000000006CB34000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6224508780.000000006CB34000.00000002.00020000.sdmp
Source: Binary string: c:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe, 0000001F.00000000.4607443560.00000000008EC000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6209519811.00000000008EC000.00000002.00020000.sdmp

Data Obfuscation:

barindex
Binary contains a suspicious time stampShow sources
Source: initial sampleStatic PE information: 0xD74605F5 [Mon Jun 12 23:21:25 2084 UTC]
PE file contains an invalid checksumShow sources
Source: api-ms-win-core-console-l1-1-0.dll.2.drStatic PE information: real checksum: 0xe861 should be: 0x200284
Uses code obfuscation techniques (call, push, ret)Show sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeCode function: 2_3_00CCC25C push eax; iretd 2_3_00CCC25D
Source: C:\Users\user\Oracle\bin\javaw.exeCode function: 31_3_14B278F9 push esp; iretd 31_3_14B278FB
Source: C:\Users\user\Oracle\bin\javaw.exeCode function: 31_3_14B2B0E9 pushfd ; iretd 31_3_14B2B0EB
Source: C:\Users\user\Oracle\bin\javaw.exeCode function: 31_3_14B268D0 push ds; retf 31_3_14B268EA
Source: C:\Users\user\Oracle\bin\javaw.exeCode function: 31_3_14B27931 push ebx; iretd 31_3_14B27933
Source: C:\Users\user\Oracle\bin\javaw.exeCode function: 39_3_14F097C4 pushad ; retf 39_3_14F098C5

Persistence and Installation Behavior:

barindex
Exploit detected, runtime environment dropped PE fileShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: api-ms-win-core-console-l1-1-0.dll.2.drJump to dropped file
Uses cmd line tools excessively to alter registry or file dataShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: attrib.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: attrib.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: attrib.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: attrib.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: attrib.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: attrib.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: attrib.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: attrib.exeJump to behavior
Drops PE filesShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\bin\concrt140.dllJump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\bin\plugin2\msvcr100.dllJump to dropped file
Source: C:\Users\user\Oracle\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\XTugPEgJFD7468964115117734558.xmlJump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\bin\dt_shmem.dllJump to dropped file
Source: C:\Users\user\Oracle\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\UBeILSkxxa4259610451599432739.xmlJump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\bin\policytool.exeJump to dropped file
Source: C:\Users\user\Oracle\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\QXYSwihFuW5181872119363116970.xmlJump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\bin\dtplugin\deployJava1.dllJump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\bin\api-ms-win-core-console-l1-1-0.dllJump to dropped file
Drops files with a non-matching file extension (content does not match file extension)Show sources
Source: C:\Users\user\Oracle\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\QXYSwihFuW5181872119363116970.xmlJump to dropped file
Source: C:\Users\user\Oracle\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\UBeILSkxxa4259610451599432739.xmlJump to dropped file
Source: C:\Users\user\Oracle\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\XTugPEgJFD7468964115117734558.xmlJump to dropped file
Creates license or readme fileShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\README.txtJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txtJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txtJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\THIRDPARTYLICENSEREADME.txtJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeFile created: C:\Users\user\Oracle\THIRDPARTYLICENSEREADME.txtJump to behavior

Boot Survival:

barindex
Creates autostart registry keys to launch javaShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SAxXHat "C:\Users\user\Oracle\bin\javaw.exe" -jar "C:\Users\user\PDeRD\VONrc.class"Jump to behavior
Creates an autostart registry keyShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SAxXHatJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SAxXHatJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SAxXHatJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\RunOnce SAxXHatJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SAxXHatJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeRegistry value created or modified: HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run SAxXHatJump to behavior

Hooking and other Techniques for Hiding and Protection:

barindex
Uses cacls to modify the permissions of filesShow sources
Source: unknownProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M

Malware Analysis System Evasion:

barindex
Found dropped PE file which has not been started or loadedShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeDropped PE file which has not been started: C:\Users\user\Oracle\bin\policytool.exeJump to dropped file
Sample execution stops while process was sleeping (likely an evasion)Show sources
Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)Show sources
Source: javaw.exe, 0000001F.00000003.4791072886.00000000150E1000.00000004.00000001.sdmpBinary or memory string: isVMWARE;
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpBinary or memory string: java/lang/VirtualMachineError
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpBinary or memory string: Unable to link/verify VirtualMachineError class
Source: java.exe, 00000002.00000002.6182519931.0000000014E60000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.4522947011.0000000003690000.00000002.00000001.sdmp, WMIC.exe, 0000000C.00000002.4527160992.00000000032B0000.00000002.00000001.sdmp, javaw.exe, 0000001F.00000002.6201007916.0000000014C60000.00000002.00000001.sdmp, javaw.exe, 00000020.00000002.6219670823.00000000156F0000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000002.6169430490.0000000000A20000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6190265381.00000000020F0000.00000004.00000001.sdmpBinary or memory string: ,java/lang/VirtualMachineError
Source: javaw.exe, 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmpBinary or memory string: vmware
Source: javaw.exe, 0000001F.00000002.6193365542.0000000004956000.00000004.00000001.sdmpBinary or memory string: vmware+
Source: javaw.exe, 00000020.00000002.6217131478.000000000ABB9000.00000004.00000001.sdmpBinary or memory string: isVMWARE
Source: javaw.exe, 00000020.00000002.6213038769.0000000005285000.00000004.00000001.sdmpBinary or memory string: {"securityRetry":20,"vbox":false,"security":[],"nickName":"USA01.07.2020","installation":{"jarName":"VONrc","moduleFolder":"hPkST","moduleEntry":"YIdHuYouaHUZKuxuDOtgxqEXcCrH/mnGrCilxiDrXuJUNoctkmPhECUddMggAhxqwIsZkqEfhd/enxqDYOKZZCpkHTZfmxCnVFiAaibYBqqAfculWKLLfxPXgQlVdJPXonYKwFhofsXWdOGbmoaMvFFJSSP.YXftVEicnctJseCRgXprBvLlMNStNpqQodJYFqwQiqvetgGPkEWARkhsSmnCAxtbZtDCLIWAKjOs","uniqueIDFile":".ntusernt.ini","delay":2,"jreFolder":"Oracle","active":true,"mainFolder":"PDeRD","moduleExtension":"OIl","jarExtension":"class","jarRegistry":"SAxXHat"},"vmware":false,"encryptKey":"SAcZfJInSKFusEWhUSRkOjrSF","network":[{"delay":2,"port":5252,"dns":"ssgwire.duckdns.org"}]}
Source: javaw.exe, 00000020.00000002.6213038769.0000000005285000.00000004.00000001.sdmpBinary or memory string: {"securityRetry":20,"vbox":false,"security":[],"nickName":"USA01.07.2020","installation":{"jarName":"VONrc","moduleFolder":"hPkST","moduleEntry":"YIdHuYouaHUZKuxuDOtgxqEXcCrH/mnGrCilxiDrXuJUNoctkmPhECUddMggAhxqwIsZkqEfhd/enxqDYOKZZCpkHTZfmxCnVFiAaibYBqqAfculWKLLfxPXgQlVdJPXonYKwFhofsXWdOGbmoaMvFFJSSP.YXftVEicnctJseCRgXprBvLlMNStNpqQodJYFqwQiqvetgGPkEWARkhsSmnCAxtbZtDCLIWAKjOs","uniqueIDFile":".ntusernt.ini","delay":2,"jreFolder":"Oracle","active":true,"mainFolder":"PDeRD","moduleExtension":"OIl","jarExtension":"class","jarRegistry":"SAxXHat"},"vmware":false,"encryptKey":"SAcZfJInSKFusEWhUSRkOjrSF","network":[{"delay":2,"port":5252,"dns":"ssgwire.duckdns.org"}]}
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpBinary or memory string: l{constant pool}CodeCache Oops C-heap JNIHandles MetaspaceAux SystemDictionary CodeCache StringTable SymbolTable Heap Threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\re\workspace\8-2-build-windows-i586-cygwin\jdk8u171\10807\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassgu
Source: javaw.exe, 0000001F.00000002.6208146065.000000006D034000.00000002.00020000.sdmp, javaw.exe, 00000020.00000002.6226299140.000000006D034000.00000002.00020000.sdmpBinary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: java.exe, 00000002.00000002.6169430490.0000000000A20000.00000004.00000001.sdmp, javaw.exe, 0000001F.00000002.6190265381.00000000020F0000.00000004.00000001.sdmpBinary or memory string: O[Ljava/lang/VirtualMachineError;
Source: javaw.exe, 00000020.00000002.6213723177.0000000005356000.00000004.00000001.sdmpBinary or memory string: vmware#
Source: java.exe, 00000002.00000002.6182519931.0000000014E60000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.4522947011.0000000003690000.00000002.00000001.sdmp, WMIC.exe, 0000000C.00000002.4527160992.00000000032B0000.00000002.00000001.sdmp, javaw.exe, 0000001F.00000002.6201007916.0000000014C60000.00000002.00000001.sdmp, javaw.exe, 00000020.00000002.6219670823.00000000156F0000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000003.4511354264.00000000153E2000.00000004.00000001.sdmpBinary or memory string: *isVMWAREd
Source: java.exe, 00000002.00000002.6182519931.0000000014E60000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.4522947011.0000000003690000.00000002.00000001.sdmp, WMIC.exe, 0000000C.00000002.4527160992.00000000032B0000.00000002.00000001.sdmp, javaw.exe, 0000001F.00000002.6201007916.0000000014C60000.00000002.00000001.sdmp, javaw.exe, 00000020.00000002.6219670823.00000000156F0000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: java.exe, 00000002.00000002.6169030038.0000000000200000.00000004.00000020.sdmpBinary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllvvBU
Source: java.exe, 00000002.00000002.6182519931.0000000014E60000.00000002.00000001.sdmp, WMIC.exe, 00000009.00000002.4522947011.0000000003690000.00000002.00000001.sdmp, WMIC.exe, 0000000C.00000002.4527160992.00000000032B0000.00000002.00000001.sdmp, javaw.exe, 0000001F.00000002.6201007916.0000000014C60000.00000002.00000001.sdmp, javaw.exe, 00000020.00000002.6219670823.00000000156F0000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Creates guard pages, often used to prevent reverse engineering and debuggingShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeMemory protected: page read and write | page guardJump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
DLL side loading technique detectedShow sources
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: C:\Windows\SysWOW64\vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: C:\Windows\SysWOW64\vcruntime140.dllJump to behavior
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: C:\Windows\SysWOW64\vcruntime140.dll
Source: C:\Windows\SysWOW64\wbem\WMIC.exeSection loaded: C:\Windows\SysWOW64\vcruntime140.dll
Creates a process in suspended mode (likely to inject code)Show sources
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exe' -javaagent:'C:\Users\user~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Shippinginfo.jar' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)MJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h 'C:\Users\user\Oracle'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +r +s 'C:\Users\user\.ntusernt.ini'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -s -r 'C:\Users\user\PDeRD\Desktop.ini'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +s +r 'C:\Users\user\PDeRD\Desktop.ini'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib -s -r 'C:\Users\user\PDeRD'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +s +r 'C:\Users\user\PDeRD'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h 'C:\Users\user\PDeRD'Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeProcess created: C:\Windows\SysWOW64\attrib.exe attrib +h +s +r 'C:\Users\user\PDeRD\VONrc.class'Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:ListJump to behavior
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:ListJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exeJump to behavior
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe WMIC /Node:localhost /Namespace:\\root\SecurityCenter2 Path FirewallProduct Get displayName /Format:List
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Users\user\Oracle\bin\javaw.exeProcess created: unknown unknown
Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
May try to detect the Windows Explorer process (often used for injection)Show sources
Source: javaw.exe, 0000001F.00000002.6190065487.0000000000CA0000.00000002.00000001.sdmp, javaw.exe, 00000020.00000002.6210475676.0000000001740000.00000002.00000001.sdmpBinary or memory string: Program Manager
Source: javaw.exe, 0000001F.00000002.6190065487.0000000000CA0000.00000002.00000001.sdmp, javaw.exe, 00000020.00000002.6210475676.0000000001740000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
Source: javaw.exe, 0000001F.00000002.6190065487.0000000000CA0000.00000002.00000001.sdmp, javaw.exe, 00000020.00000002.6210475676.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progman
Source: javaw.exe, 0000001F.00000002.6190065487.0000000000CA0000.00000002.00000001.sdmp, javaw.exe, 00000020.00000002.6210475676.0000000001740000.00000002.00000001.sdmpBinary or memory string: Progmanlock

Language, Device and Operating System Detection:

barindex
Queries the cryptographic machine GUIDShow sources
Source: C:\Program Files (x86)\Java\jre1.8.0_171\bin\java.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuidJump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)Show sources
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM AntiVirusProduct
Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : SELECT displayName FROM FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected JRatShow sources
Source: Yara matchFile source: 00000020.00000002.6217131478.000000000ABB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.6235457922.000000000A15F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.6235811800.000000000A2F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.6180558734.000000000A6FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.6232964513.0000000004B55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.6177502741.0000000004EAB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.6193365542.0000000004956000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.6234092577.0000000009E89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.6213723177.0000000005356000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.6196464811.000000000A1B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 4908, type: MEMORY
Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 3964, type: MEMORY
Source: Yara matchFile source: Process Memory Space: java.exe PID: 5264, type: MEMORY

Remote Access Functionality:

barindex
Yara detected JRatShow sources
Source: Yara matchFile source: 00000020.00000002.6217131478.000000000ABB9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.6235457922.000000000A15F000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.6235811800.000000000A2F2000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.6178606779.000000000A1AE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.6180558734.000000000A6FE000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.6232964513.0000000004B55000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.6177502741.0000000004EAB000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.6195672071.0000000009F59000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.6193365542.0000000004956000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.6194421305.0000000009C89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.6216561241.000000000A958000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000027.00000002.6234092577.0000000009E89000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000002.00000002.6180021747.000000000A501000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.6213723177.0000000005356000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 00000020.00000002.6215068315.000000000A689000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: 0000001F.00000002.6196464811.000000000A1B9000.00000004.00000001.sdmp, type: MEMORY
Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 4908, type: MEMORY
Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 3964, type: MEMORY
Source: Yara matchFile source: Process Memory Space: java.exe PID: 5264, type: MEMORY

Malware Configuration

No configs have been found

Behavior Graph

Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 dnsIp2 2 Behavior Graph ID: 201036 Sample: Shippinginfo.jar Startdate: 14/01/2020 Architecture: WINDOWS Score: 88 82 ssgwire.duckdns.org 2->82 94 Multi AV Scanner detection for submitted file 2->94 96 Yara detected JRat 2->96 98 Machine Learning detection for dropped file 2->98 100 3 other signatures 2->100 9 cmd.exe 2 2->9         started        11 javaw.exe 12 2->11         started        15 javaw.exe 2->15         started        17 javaw.exe 2->17         started        signatures3 process4 dnsIp5 19 java.exe 2 289 9->19         started        24 conhost.exe