Analysis Report Invoice PDF.jar

Overview

General Information

Sample Name: Invoice PDF.jar
Analysis ID: 392877
MD5: 903b63e35bf8738809eab0f187027daf
SHA1: 257ff2ca9d7848e7c411790c3fa88a0aea479079
SHA256: bdfe705deebedf2b4edd1fee5bb225f3a14718f0a1007553fec5050db0f7fe08
Tags: Adwindjar
Infos:

Most interesting Screenshot:

Detection

ADWIND
Score: 100
Range: 0 - 100
Whitelisted: false
Confidence: 100%

Signatures

Antivirus detection for dropped file
Detected ADWIND Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AdWind RAT
Yara detected AdWind RATs dll
Exploit detected, runtime environment starts unknown processes
Java source code contains strings found in CrossRAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses regedit.exe to modify the Windows registry
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Parent Process Executions
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

AV Detection:

barindex
Antivirus detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs Avira: detection malicious, Label: VBS/Agent.276
Source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll Avira: detection malicious, Label: TR/Spy.Agent.lusda
Source: C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs Avira: detection malicious, Label: VBS/Agent.276
Source: C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs Avira: detection malicious, Label: VBS/Agent.281
Source: C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs Avira: detection malicious, Label: VBS/Agent.281
Source: C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dll Avira: detection malicious, Label: TR/Spy.Agent.3850
Found malware configuration
Source: java.exe.4596.10.memstr Malware Configuration Extractor: AdWind {"NETWORK": [{"PORT": 7777, "DNS": "127.0.0.1"}], "INSTALL": false, "MODULE_PATH": "zS/lq/BTk.GI", "PLUGIN_FOLDER": "DdWDtpinxpf", "JRE_FOLDER": "HSIROD", "JAR_FOLDER": "fUTkALeaTxM", "JAR_EXTENSION": "Vybgol", "ENCRYPT_KEY": "cPFjgddXIBcXBCIseEuXTZjwi", "DELAY_INSTALL": 2, "NICKNAME": "User", "VMWARE": false, "PLUGIN_EXTENSION": "DhjWU", "WEBSITE_PROJECT": "https://jrat.io", "JAR_NAME": "uiylKSALYJr", "JAR_REGISTRY": "WLyQyhWoosi", "DELAY_CONNECT": 2, "VBOX": false}
Multi AV Scanner detection for dropped file
Source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll Metadefender: Detection: 72% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll ReversingLabs: Detection: 74%
Source: C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dll Metadefender: Detection: 46% Perma Link
Source: C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dll ReversingLabs: Detection: 65%
Multi AV Scanner detection for submitted file
Source: Invoice PDF.jar Virustotal: Detection: 11% Perma Link
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000009.00000002.602787359.00000000702E6000.00000002.00020000.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.590464923.0000000004881000.00000004.00000001.sdmp
Source: Binary string: b.pxb.ppb.phb.pXb.pDb.p8b.p,b.p source: javaw.exe, 00000009.00000002.602797426.00000000702E9000.00000004.00020000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000009.00000002.602787359.00000000702E6000.00000002.00020000.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp

Software Vulnerabilities:

barindex
Exploit detected, runtime environment starts unknown processes
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe

Networking:

barindex
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Source: Traffic Snort IDS: 2020728 ET TROJAN Possible Adwind/jSocket SSL Cert (assylias.Inc) 107.175.101.209:7865 -> 192.168.2.6:49739
Detected TCP or UDP traffic on non-standard ports
Source: global traffic TCP traffic: 192.168.2.6:49739 -> 107.175.101.209:7865
Internet Provider seen in connection with other malware
Source: Joe Sandbox View ASN Name: NEXEONUS NEXEONUS
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: unknown TCP traffic detected without corresponding DNS query: 107.175.101.209
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/3
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/Ca
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsc
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/allow-java-encodingserRej9
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-erroret
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes3
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes:
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes3
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion#
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansionS
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations#2
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations#i
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsalS9
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsatedDat;
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationss
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/include-comments
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/include-comments0
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesKR
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicateslder
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesp
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlye/
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/namespace-growthS
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/namespace-growtha
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd:
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdSA
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdc
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdnt:
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsng
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant2
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/standard-uri-conformantZ
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotations;c
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validate-annotationsitera
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees#
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees1
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesS
Source: java.exe, 0000000A.00000003.410458502.0000000014C3B000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesap1
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/dynamic3
Source: java.exe, 0000000A.00000003.410458502.0000000014C3B000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/dynamicperty;
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingSi=
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvik
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultA
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultC
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueeDefiniB
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/schemaK~
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef#5
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefttp://D
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefdom/:
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefk
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefs
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef-node-
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language3
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-languageS
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/features/xinclude1
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/D
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node#
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node9
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: javaw.exe, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/dom/document-class-nameC?
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/input-buffer-sizes
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryK
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factorys
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner/apach7
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/document-scannerKS
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processorg5
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerk
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerl.o8
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager3
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver7
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolvers
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolvert
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/error-reporterSE
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool3d
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-bindern
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context#9
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/namespace-contextc
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver=
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation-manageron
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory;
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factorypt7
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtda:
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema#8
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/validator/schemaren
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler9
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handlere
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/locale
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/localeJ
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/localeoJ
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/s/dom/iD
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationler
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation(
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationso
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/security-manager8
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/security-manager:
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/properties/security-managerk
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes#
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesrg/w3c
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesxerces
Source: java.exe, 00000002.00000002.333098127.000000000531A000.00000004.00000001.sdmp, java.exe, 00000002.00000002.333182589.000000000A3C4000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592486010.0000000009F91000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592199343.0000000009B8A000.00000004.00000001.sdmp String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: javaw.exe, 00000009.00000002.591762381.0000000004DA5000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.591752460.0000000004DA1000.00000004.00000001.sdmp String found in binary or memory: http://gG2DwoT3pJewMEBGx6.com
Source: java.exe, 00000002.00000002.333196283.000000000A3D5000.00000004.00000001.sdmp, java.exe, 00000002.00000002.333114203.0000000005332000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592505653.0000000009F97000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592212742.0000000009B8F000.00000004.00000001.sdmp String found in binary or memory: http://java.oracle.com/
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/dtd/properties.dtd
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/dtd/properties.dtdS%
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/dtd/properties.dtdk
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/;
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check3C
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkC
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkL
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkurr
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/c
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/p(
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/dom/properties/r(
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: javaw.exe, javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage#
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage3)
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/S
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace0
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespacet
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/schema/features/x
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/3p
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/Impl
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/Lorg/wA
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateKo
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateodeIter
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-statesun/org
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processingc
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD3
Source: javaw.exe, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTDS
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://javax.xml.XMLConstants/property/s3
Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592336171.0000000004ECE000.00000004.00000001.sdmp String found in binary or memory: http://maven.apache.org/POM/4.0.0
Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmp String found in binary or memory: http://maven.apache.org/maven-v4_0_0.xsd
Source: javaw.exe, javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp, java.exe, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://null.oracle.com/
Source: wscript.exe, 00000005.00000002.372915284.00000000006F3000.00000004.00000010.sdmp String found in binary or memory: http://ops.com.pa/jre7.zip
Source: wscript.exe, 00000005.00000003.340480526.00000000053F9000.00000004.00000001.sdmp String found in binary or memory: http://ops.com.pa/jre7.zipW
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://policy.camerfirma.com0
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://repository.swisssign.com/0
Source: javaw.exe, 00000009.00000002.593181082.000000000A27A000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592945279.0000000009E32000.00000004.00000001.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl3
Source: javaw.exe, 00000009.00000002.592336171.0000000004ECE000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/
Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmp String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.txt
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.590748343.00000000048DE000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://www.chambersign.org1
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism/w3c/
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/feature/use-service-mechanismk
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/feature/use-service-mechanismrg/ap
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties//w3c/d
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/K
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/ache/x
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitA
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimitk
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfodrop
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfok
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/k
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth/sun/orC
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthC
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthg;)V
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit#
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimitringB7
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit;
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitE
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitwE
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitCF
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitorg9
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit)(Ljava
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit3h
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit;0
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimitrn
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadis.bm0
Source: javaw.exe, 00000009.00000002.593181082.000000000A27A000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592945279.0000000009E32000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features//dom
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/0co
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/C
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD=
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDs7
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities#
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entities7
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/external-general-entitieswna7
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/external-parameter-entitiesK?
Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixesnt(
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/namespace-prefixeso
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/namespaces
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/namespaces&
Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/features/validation
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/properties/
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/properties/(
Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/properties/c
Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/properties/e
Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmp String found in binary or memory: https://github.com/xerial/sqlite-jdbc
Source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.589242015.0000000004690000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: https://jrat.io
Source: java.exe, 0000000A.00000002.592979586.0000000009E5B000.00000004.00000001.sdmp String found in binary or memory: https://jrat.ioS
Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592945279.0000000009E32000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp String found in binary or memory: https://ocsp.quovadisoffshore.com0

System Summary:

barindex
Malicious sample detected (through community Yara rule)
Source: C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class, type: DROPPED Matched rule: Detects JRAT malware Author: Florian Roth
Source: C:\Users\user\AppData\Roaming\jhxromh.txt, type: DROPPED Matched rule: Detects JRAT malware Author: Florian Roth
Uses regedit.exe to modify the Windows registry
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg'
Creates files inside the system directory
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Windows\SysWOW64\test.txt Jump to behavior
Detected potential crypto function
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02D638EB 2_2_02D638EB
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02D5ED57 2_2_02D5ED57
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 10_3_15362A40 10_3_15362A40
Dropped file seen in connection with other malware
Source: Joe Sandbox View Dropped File: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll A6BE5BE2D16A24430C795FAA7AB7CC7826ED24D6D4BC74AD33DA5C2ED0C793D0
Yara signature match
Source: C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class, type: DROPPED Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: C:\Users\user\AppData\Roaming\jhxromh.txt, type: DROPPED Matched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
Source: classification engine Classification label: mal100.troj.spyw.expl.evad.winJAR@133/260@0/3
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Users\user\bgddtomvyl.js Jump to behavior
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4272:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_01
Source: C:\Windows\System32\conhost.exe Mutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File created: C:\Users\user\AppData\Local\Temp\hsperfdata_user Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Section loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
Source: C:\Windows\SysWOW64\icacls.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\System32\conhost.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\taskkill.exe WMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
Source: C:\Windows\SysWOW64\wscript.exe File read: C:\Users\user\Desktop\desktop.ini Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers Jump to behavior
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
Source: javaw.exe, 00000009.00000002.590526543.0000000004C5F000.00000004.00000001.sdmp Binary or memory string: SELECT * FROM wow_logins;
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
Source: javaw.exe, 00000009.00000002.590526543.0000000004C5F000.00000004.00000001.sdmp Binary or memory string: SELECT * FROM LOGINS;
Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmp Binary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
Source: Invoice PDF.jar Virustotal: Detection: 11%
Source: javaw.exe String found in binary or memory: -addDropTarget
Source: java.exe String found in binary or memory: mB/LoadStoreParameter
Source: unknown Process created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'' >> C:\cmdlinestart.log 2>&1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: C:\Windows\SysWOW64\icacls.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\bgddtomvyl.js
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg'
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\jhxromh.txt'
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy 'C:\Program Files (x86)\Java\jre1.8.0_211' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: C:\Windows\System32\conhost.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\bgddtomvyl.js Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\jhxromh.txt' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy 'C:\Program Files (x86)\Java\jre1.8.0_211' 'C:\Users\user\AppData\Roaming\Oracle\' /e Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32 Jump to behavior
Source: Window Recorder Window detected: More than 3 window changes detected
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe File opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll Jump to behavior
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000009.00000002.602787359.00000000702E6000.00000002.00020000.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.590464923.0000000004881000.00000004.00000001.sdmp
Source: Binary string: b.pxb.ppb.phb.pXb.pDb.p8b.p,b.p source: javaw.exe, 00000009.00000002.602797426.00000000702E9000.00000004.00020000.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000009.00000002.602787359.00000000702E6000.00000002.00020000.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp

Data Obfuscation:

barindex
Uses code obfuscation techniques (call, push, ret)
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02CBB377 push 00000000h; mov dword ptr [esp], esp 2_2_02CBB39D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02CBBB27 push 00000000h; mov dword ptr [esp], esp 2_2_02CBBB4D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02CBA1CA push ecx; ret 2_2_02CBA1DA
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02CBA1DB push ecx; ret 2_2_02CBA1E5
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02CBB907 push 00000000h; mov dword ptr [esp], esp 2_2_02CBB92D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02CBC437 push 00000000h; mov dword ptr [esp], esp 2_2_02CBC45D
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02CC2D44 push eax; retf 2_2_02CC2D45
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02D60315 push cs; retf 2_2_02DF051C
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02D59891 push cs; retf 2_2_02D598B1
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 9_3_1572CF33 push eax; iretd 9_3_1572CF45
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 9_3_14F5DC8C push E814F5CAh; retf 9_3_14F5DC91
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 9_3_14F5BE7C push E814F5CAh; retf 9_3_14F5BE81
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 9_3_14F65459 push ds; retf 9_3_14F6545A
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Code function: 9_3_14F5CB1B push E814F5CDh; retf 9_3_14F5CBC5
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 10_3_1529CB0C pushad ; retf 10_3_1529CB39

Persistence and Installation Behavior:

barindex
Drops PE files
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\ucrtbase.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\sqlite-3.8.11.2-42eaffe0-b8ea-4880-ab72-6ea9a41a3e14-sqlitejdbc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\concrt140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe File created: C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Drops files with a non-matching file extension (content does not match file extension)
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\README.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Source: C:\Windows\SysWOW64\xcopy.exe File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt

Hooking and other Techniques for Hiding and Protection:

barindex
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Source: C:\Windows\SysWOW64\wscript.exe Registry key monitored for changes: HKEY_CURRENT_USER_Classes Jump to behavior
Uses cacls to modify the permissions of files
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\regedit.exe Process information set: NOOPENFILEERRORBOX Jump to behavior
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX
Source: C:\Windows\SysWOW64\cscript.exe Process information set: NOOPENFILEERRORBOX

Malware Analysis System Evasion:

barindex
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: SUPERANTISPYWARE.EXE
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: DUMPCAP.EXE
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: WIRESHARK.EXE
Contains capabilities to detect virtual machines
Source: C:\Windows\SysWOW64\wscript.exe File opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b} Jump to behavior
Found WSH timer for Javascript or VBS script (likely evasive script)
Source: C:\Windows\SysWOW64\wscript.exe Window found: window name: WSH-Timer Jump to behavior
Found dropped PE file which has not been started or loaded
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\vcruntime140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\concrt140.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll Jump to dropped file
Source: C:\Windows\SysWOW64\xcopy.exe Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll Jump to dropped file
Sample execution stops while process was sleeping (likely an evasion)
Source: C:\Windows\System32\conhost.exe Last function: Thread delayed
Source: java.exe, 0000000A.00000002.592979586.0000000009E5B000.00000004.00000001.sdmp Binary or memory string: VMWARE;|
Source: java.exe, 0000000A.00000002.589242015.0000000004690000.00000004.00000001.sdmp Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: java.exe, 00000002.00000002.336190557.00000000155D0000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.375981336.00000000061D0000.00000002.00000001.sdmp, javaw.exe, 00000009.00000002.599666578.0000000015B70000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.595530638.0000000014E10000.00000002.00000001.sdmp Binary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
Source: java.exe, 00000002.00000002.332031373.0000000002B40000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.588443966.0000000002520000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.588652984.00000000024B0000.00000004.00000001.sdmp Binary or memory string: ,java/lang/VirtualMachineError
Source: java.exe, 00000002.00000002.332031373.0000000002B40000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.588443966.0000000002520000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.588652984.00000000024B0000.00000004.00000001.sdmp Binary or memory string: |[Ljava/lang/VirtualMachineError;
Source: java.exe, 0000000A.00000002.590033578.0000000004813000.00000004.00000001.sdmp Binary or memory string: VMWARE
Source: java.exe, 0000000A.00000002.590033578.0000000004813000.00000004.00000001.sdmp Binary or memory string: VMWARE+
Source: java.exe, 00000002.00000002.336190557.00000000155D0000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.375981336.00000000061D0000.00000002.00000001.sdmp, javaw.exe, 00000009.00000002.599666578.0000000015B70000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.595530638.0000000014E10000.00000002.00000001.sdmp Binary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
Source: java.exe, 00000002.00000002.336190557.00000000155D0000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.375981336.00000000061D0000.00000002.00000001.sdmp, javaw.exe, 00000009.00000002.599666578.0000000015B70000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.595530638.0000000014E10000.00000002.00000001.sdmp Binary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
Source: javaw.exe, 00000009.00000003.427734710.0000000015002000.00000004.00000001.sdmp Binary or memory string: C:\Program Files (x86)\VMware\VMware Tools
Source: java.exe, 00000002.00000002.336190557.00000000155D0000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.375981336.00000000061D0000.00000002.00000001.sdmp, javaw.exe, 00000009.00000002.599666578.0000000015B70000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.595530638.0000000014E10000.00000002.00000001.sdmp Binary or memory string: An unknown internal message was received by the Hyper-V Compute Service.

Anti Debugging:

barindex
Enables debug privileges
Source: C:\Windows\SysWOW64\taskkill.exe Process token adjusted: Debug
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Memory protected: page read and write | page guard Jump to behavior

HIPS / PFW / Operating System Protection Evasion:

barindex
Creates a process in suspended mode (likely to inject code)
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\bgddtomvyl.js Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg' Jump to behavior
Source: C:\Windows\SysWOW64\wscript.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\jhxromh.txt' Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\xcopy.exe xcopy 'C:\Program Files (x86)\Java\jre1.8.0_211' 'C:\Users\user\AppData\Roaming\Oracle\' /e Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: unknown unknown Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs Jump to behavior
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Process created: C:\Windows\SysWOW64\cmd.exe cmd.exe Jump to behavior
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
Source: C:\Windows\SysWOW64\cmd.exe Process created: unknown unknown
Uses taskkill to terminate processes
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Process created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F Jump to behavior
Source: javaw.exe, 00000009.00000002.593505828.000000000A358000.00000004.00000001.sdmp Binary or memory string: {"ACTIVE_WINDOW":"Program Manager","COMMAND":5}e","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\jhxromh.txt","VBOX":true,"RAM":"8.0 GB"}cc.exe","psview.exe","quamgr.exe","quamgr.exe","sc
Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmp Binary or memory string: F{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmp Binary or memory string: Program Manager
Source: javaw.exe, 00000009.00000002.588380714.0000000001110000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.588591333.00000000010A0000.00000002.00000001.sdmp Binary or memory string: Shell_TrayWnd
Source: javaw.exe, 00000009.00000002.588380714.0000000001110000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.588591333.00000000010A0000.00000002.00000001.sdmp Binary or memory string: Progman
Source: javaw.exe, 00000009.00000002.593505828.000000000A358000.00000004.00000001.sdmp Binary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}e","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\jhxromh.txt","VBOX":true,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","Forx
Source: javaw.exe, 00000009.00000002.588380714.0000000001110000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.588591333.00000000010A0000.00000002.00000001.sdmp Binary or memory string: &Program Manager
Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmp Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000009.00000002.588380714.0000000001110000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.588591333.00000000010A0000.00000002.00000001.sdmp Binary or memory string: Progmanlock
Source: javaw.exe, 00000009.00000002.593505828.000000000A358000.00000004.00000001.sdmp Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}e","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\jhxromh.txt","VBOX":true,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","For
Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmp Binary or memory string: "{"ACTIVE_WINDOW":"Program Manager"
Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmp Binary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
Source: javaw.exe, 00000009.00000002.589280464.0000000004A22000.00000004.00000001.sdmp Binary or memory string: Program Manager?<
Source: javaw.exe, 00000009.00000002.593576639.000000000A3CA000.00000004.00000001.sdmp Binary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}0

Language, Device and Operating System Detection:

barindex
Contains functionality to query CPU information (cpuid)
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Code function: 2_2_02CB0380 cpuid 2_2_02CB0380
Source: C:\Windows\SysWOW64\wscript.exe Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

barindex
AV process strings found (often used to terminate AV products)
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: EMLPROXY.EXE
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: AVKService.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: fsgk32.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: AVKProxy.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: AVKTray.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: SBAMTray.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: K7RTScan.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: FSMA32.EXE
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: ONLINENT.EXE
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: SCANWSCS.EXE
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: SUPERAntiSpyware.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: MsMpEng.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: K7FWSrvc.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: guardxservice.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: K7TSecurity.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: K7PSSrvc.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: MSASCui.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: cmdagent.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: acs.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: K7TSMngr.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: BullGuard.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: wireshark.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: virusutilities.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: K7EmlPxy.EXE
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: ClamTray.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: SBAMSvc.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: procexp.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: FPAVServer.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: mbam.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: QUHLPSVC.EXE
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: FProtTray.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: ClamWin.exe
Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmp Binary or memory string: op_mon.exe
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct
Source: C:\Windows\SysWOW64\cscript.exe WMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct

Stealing of Sensitive Information:

barindex
Yara detected AdWind RAT
Source: Yara match File source: Process Memory Space: java.exe PID: 4596, type: MEMORY
Yara detected AdWind RATs dll
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll, type: DROPPED
Source: Yara match File source: 10.2.java.exe.4881274.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.javaw.exe.740d0000.8.unpack, type: UNPACKEDPE
Tries to harvest and steal browser information (history, passwords, etc)
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe File opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data Jump to behavior

Remote Access Functionality:

barindex
Detected ADWIND Rat
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext Jump to dropped file
Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext Jump to dropped file
Yara detected AdWind RAT
Source: Yara match File source: Process Memory Space: java.exe PID: 4596, type: MEMORY
Yara detected AdWind RATs dll
Source: Yara match File source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll, type: DROPPED
Source: Yara match File source: 10.2.java.exe.4881274.1.raw.unpack, type: UNPACKEDPE
Source: Yara match File source: 9.2.javaw.exe.740d0000.8.unpack, type: UNPACKEDPE
Java source code contains strings found in CrossRAT
Source: jhxromh.txt.5.dr Suspicious string: operational.JRat (in operational/Jrat.java)
Source: _0.5473048333189129536838706564981496.class.9.dr Suspicious string: operational.JRat (in operational/Jrat.java)
windows-stand
Hide Legend

Legend:

  • Process
  • Signature
  • Created File
  • DNS/IP Info
  • Is Dropped
  • Is Windows Process
  • Number of created Registry Values
  • Number of created Files
  • Visual Basic
  • Delphi
  • Java
  • .Net C# or VB.NET
  • C, C++ or other language
  • Is malicious
  • Internet
behaviorgraph top1 signatures2 2 Behavior Graph ID: 392877 Sample: Invoice PDF.jar Startdate: 19/04/2021 Architecture: WINDOWS Score: 100 100 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 9 other signatures 2->106 11 cmd.exe 2 2->11         started        process3 process4 13 java.exe 6 11->13         started        15 conhost.exe 11->15         started        process5 17 wscript.exe 3 3 13->17         started        21 icacls.exe 1 13->21         started        23 conhost.exe 15->23         started        file6 72 C:\Users\user\...\ebgeaegdbdecaedfebace.reg, ASCII 17->72 dropped 108 Uses regedit.exe to modify the Windows registry 17->108 25 javaw.exe 34 17->25         started        30 regedit.exe 17->30         started        32 conhost.exe 21->32         started        signatures7 process8 dnsIp9 96 107.175.101.209, 49739, 49774, 49786 NEXEONUS United States 25->96 98 192.168.2.1 unknown unknown 25->98 86 C:\Users\...\Windows9046764930049020633.dll, PE32 25->86 dropped 88 C:\Users\...\Windows278170804881636675.dll, PE32 25->88 dropped 90 C:\Users\...\Retrive7530640457785674935.vbs, ASCII 25->90 dropped 92 2 other files (1 malicious) 25->92 dropped 110 Tries to harvest and steal browser information (history, passwords, etc) 25->110 34 xcopy.exe 25->34         started        37 java.exe 17 25->37         started        40 cmd.exe 25->40         started        42 4 other processes 25->42 file10 signatures11 process12 dnsIp13 74 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 34->74 dropped 76 C:\Users\user\AppData\...\wsdetect.dll, PE32 34->76 dropped 78 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32 34->78 dropped 84 128 other files (none is malicious) 34->84 dropped 94 127.0.0.1 unknown unknown 37->94 80 C:\Users\...\Retrive9101275134933643330.vbs, ASCII 37->80 dropped 82 C:\Users\...\Retrive7965693575833183651.vbs, ASCII 37->82 dropped 44 cmd.exe 37->44         started        46 cmd.exe 37->46         started        48 cmd.exe 37->48         started        50 conhost.exe 37->50         started        52 conhost.exe 40->52         started        54 cscript.exe 40->54         started        56 conhost.exe 42->56         started        58 cscript.exe 42->58         started        60 conhost.exe 42->60         started        file14 process15 process16 62 conhost.exe 44->62         started        64 cscript.exe 44->64         started        66 conhost.exe 46->66         started        68 cscript.exe 46->68         started        70 conhost.exe 48->70         started       
  • No. of IPs < 25%
  • 25% < No. of IPs < 50%
  • 50% < No. of IPs < 75%
  • 75% < No. of IPs

Contacted Public IPs

IP Domain Country Flag ASN ASN Name Malicious
107.175.101.209
 unknown United States
20278 NEXEONUS true

Private
IP
192.168.2.1
127.0.0.1