Joe Sandbox Cloud Basic Analysis Report

Loading Joe Sandbox Report ...

Edit tour

Windows Analysis Report
12-09-2022 S#U0130PAR#U0130#U015e.docx.doc

Overview

General Information

Sample Name:12-09-2022 S#U0130PAR#U0130#U015e.docx.doc
Analysis ID:701320
MD5:7e8133cf5f56adcfafb9bc91390c9fe7
SHA1:2cc6471245901e51565ad69df6b8586629965cf1
SHA256:7859fd95c60a0d76fa99eb42277501b20f76a377c1395b504acff5dd22533027
Tags:doc
Infos:

Detection

AdWind
Score:80
Range:0 - 100
Whitelisted:false
Confidence:100%

Signatures

Document exploit detected (creates forbidden files)
Multi AV Scanner detection for submitted file
Yara detected AdWind RAT
Document contains OLE streams which likely are hidden ActiveX objects
Document exploit detected (process start blacklist hit)
Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
Uses cacls to modify the permissions of files
Uses code obfuscation techniques (call, push, ret)
Contains functionality to detect virtual machines (SLDT)
Detected potential crypto function
Contains functionality to query CPU information (cpuid)
Queries sensitive processor information (via WMI, Win32_Processor, often done to detect virtual machines)
Creates a process in suspended mode (likely to inject code)
Queries sensitive Operating System Information (via WMI, Win32_ComputerSystem, often done to detect virtual machines)

Classification

Process Tree

  • System is w10x64
  • WINWORD.EXE (PID: 5016 cmdline: "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding MD5: 0B9AB9B9C4DE429473D6450D4297A123)
    • splwow64.exe (PID: 2292 cmdline: C:\Windows\splwow64.exe 12288 MD5: 8D59B31FF375059E3C32B17BF31A76D5)
    • javaw.exe (PID: 4196 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\a0v2H8.jar" MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
      • icacls.exe (PID: 5908 cmdline: C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M MD5: FF0D1D4317A44C951240FAE75075D501)
        • conhost.exe (PID: 6108 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 6168 cmdline: wmic CPU get ProcessorId MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 6188 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 6404 cmdline: wmic bios get serialnumber MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 6412 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 6468 cmdline: wmic csproduct get name MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 6476 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 6528 cmdline: wmic csproduct get UUID MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 6536 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 6584 cmdline: cmd.exe /c ver MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 6592 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
    • javaw.exe (PID: 6860 cmdline: "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\a0v2H8.jar" MD5: 4BFEB2F64685DA09DEBB95FB981D4F65)
      • WMIC.exe (PID: 5040 cmdline: wmic CPU get ProcessorId MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 6124 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 6316 cmdline: wmic bios get serialnumber MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 6328 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 6380 cmdline: wmic csproduct get name MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 6388 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • WMIC.exe (PID: 6260 cmdline: wmic csproduct get UUID MD5: 79A01FCD1C8166C5642F37D1E0FB7BA8)
        • conhost.exe (PID: 6172 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
      • cmd.exe (PID: 320 cmdline: cmd.exe /c ver MD5: F3BDBE3BB6F734E357235F4D5898582D)
        • conhost.exe (PID: 968 cmdline: C:\Windows\system32\conhost.exe 0xffffffff -ForceV1 MD5: EA777DEEA782E8B4D7C7C33BBF8A4496)
  • cleanup

Malware Configuration

No configs have been found

Yara Signatures

Memory Dumps

SourceRuleDescriptionAuthorStrings
0000001D.00000002.391533154.0000000004F88000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AdWind_2Yara detected AdWind RATJoe Security
    0000000D.00000002.339042980.000000000458C000.00000004.00000800.00020000.00000000.sdmpJoeSecurity_AdWind_2Yara detected AdWind RATJoe Security
      Process Memory Space: javaw.exe PID: 4196JoeSecurity_AdWind_2Yara detected AdWind RATJoe Security
        Process Memory Space: javaw.exe PID: 6860JoeSecurity_AdWind_2Yara detected AdWind RATJoe Security

          Sigma Signatures

          No Sigma rule has matched

          Snort Signatures

          No Snort rule has matched

          Joe Sandbox Signatures

          Click to jump to signature section

          Show All Signature Results

          AV Detection

          barindex
          Multi AV Scanner detection for submitted file
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docReversingLabs: Detection: 26%
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docVirustotal: Detection: 17%Perma Link
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll

          Software Vulnerabilities

          barindex
          Document exploit detected (creates forbidden files)
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\a0v2H8.jarJump to behavior
          Document exploit detected (process start blacklist hit)
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/3
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/allow-java-encodings
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error=
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodes:
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/create-cdata-nodesC
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
          Source: javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/disallow-doctype-declxcep
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes?
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodesc
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansions
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations#j
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations1
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/include-comments
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/include-comments0
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/internal/parser-settings
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesO
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesc
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlys
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/namespace-growth
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd3
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd:
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdkZ
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/s
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refsK
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs3
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refsC
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/standard-uri-conformantut2
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/standard-uri-conformantxe2
          Source: javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotations
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotations3
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validate-annotationsKD
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320030158.0000000015939000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320240879.000000001593B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342933460.0000000015952000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
          Source: javaw.exe, 0000000D.00000003.320030158.0000000015939000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320240879.000000001593B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342933460.0000000015952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees1
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees_S1
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320030158.0000000015939000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320240879.000000001593B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342933460.0000000015952000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/dynamic
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/dynamic_CHAR_R
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking=
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingS
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema-full-checkingk
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultA
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/schemaSu
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef3(
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdefkb
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef3
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef:
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdefKV(
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-urisS
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language;
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/features/xinclude1
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/current-element-node9
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/current-element-nodem
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/input-buffer-size
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/input-buffer-sizeNamedI
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/input-buffer-sizec
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/input-buffer-sizexerces
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryC.
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryKh(
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factoryh
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner#
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner7
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/document-scanner=
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner8
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/dtd-scannerc
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver:
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-handler
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool9
          Source: javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder39
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-binderks
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context#
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolvernt=
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverro=
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/symbol-table#
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/symbol-table;X(
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory;
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler=
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/locale
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/localeJ
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/localehJ
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation?
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationS
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation#l
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation(
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/security-manager
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/security-manager#W
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/security-manager8
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/properties/security-managerk
          Source: javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
          Source: javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes-
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: http://b.c2r.ts.cdn.office.net/pr
          Source: javaw.exe, 0000000D.00000002.340218954.0000000009957000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394021383.000000000A356000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://bugreport.sun.com/bugreport/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: http://f.c2r.ts.cdn.office.net/pr
          Source: javaw.exe, 0000000D.00000003.320223692.00000000159F2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.319967289.00000000159ED000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.318356501.000000001596B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339138479.00000000045DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.340622834.0000000009A9C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342990987.0000000015972000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339167926.00000000045FC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.395111727.000000000A4A4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.391683809.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.391742678.0000000004FFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/
          Source: javaw.exe, 0000001D.00000002.407534942.0000000015A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/aintHea
          Source: javaw.exe, 0000000D.00000003.320223692.00000000159F2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.319967289.00000000159ED000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.318356501.000000001596B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339138479.00000000045DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.340622834.0000000009A9C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342990987.0000000015972000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339167926.00000000045FC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.395111727.000000000A4A4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.391683809.0000000004FDD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.391742678.0000000004FFC000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ip
          Source: javaw.exe, 0000001D.00000002.407534942.0000000015A30000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://ipinfo.io/ipnt;
          Source: javaw.exe, 0000000D.00000002.340231812.000000000995F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394053423.000000000A35D000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.oracle.com/
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392140815.00000000050C7000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtd
          Source: javaw.exe, 0000001D.00000002.392184518.00000000050DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtd#
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtdS
          Source: javaw.exe, 0000000D.00000002.339418652.00000000046DE000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/dtd/properties.dtdc
          Source: javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/
          Source: javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/(
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339418652.00000000046DE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392184518.00000000050DD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
          Source: javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-checkour
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage4
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguageCI
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource7
          Source: javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespaceo
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/
          Source: javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/6
          Source: javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/S
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtdifi
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtdkin
          Source: javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
          Source: javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state/
          Source: javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state;
          Source: javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
          Source: javaw.exe, 0000000D.00000003.320030158.0000000015939000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320240879.000000001593B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342933460.0000000015952000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-eventl/xn
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
          Source: javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/
          Source: javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/3
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema;
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemaD
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchemak
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: http://olkflt.edog.officeapps.live.com/olkflt/outlookflighting.svc/api/glides
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: http://weather.service.msn.com/data.aspx
          Source: javaw.exe, 0000000D.00000002.340622834.0000000009A9C000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339167926.00000000045FC000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.395111727.000000000A4A4000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.391812098.000000000501E000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.apple.com/DTDs/PropertyList-1.0.dtd
          Source: javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
          Source: javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/S
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimitn/
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimitse
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit;
          Source: javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfoT
          Source: javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/k
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthS
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepthk
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitWE
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimits
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
          Source: javaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
          Source: javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManagerc
          Source: javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/
          Source: javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/S
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD#Y
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDh
          Source: javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDk
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTDw=
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entities
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entities7
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/external-general-entitiesc
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/external-parameter-entities
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/external-parameter-entitiesC)
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes
          Source: javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes(
          Source: javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixes/s(
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespace-prefixesc
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespaces&
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/namespacessZ
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/use-entity-resolver2S
          Source: javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/validation
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/features/validations
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/
          Source: javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/(
          Source: javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/3
          Source: javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpString found in binary or memory: http://xml.org/sax/properties/xml-string
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/acquisitionlogging
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinsinstallation.store.office.com/app/download
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/authenticated
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/preinstalled
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinsinstallation.store.office.com/appinstall/unauthenticated
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinsinstallation.store.office.com/orgid/appinstall/authenticated
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinslicensing.store.office.com/apps/remove
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinslicensing.store.office.com/commerce/query
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinslicensing.store.office.com/entitlement/query
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/apps/remove
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://addinslicensing.store.office.com/orgid/entitlement/query
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://analysis.windows.net/powerbi/api
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://apc.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.aadrm.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.aadrm.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.addins.omex.office.net/appinfo/query
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.addins.omex.office.net/appstate/query
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.addins.store.office.com/addinstemplate
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.addins.store.office.com/app/query
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.addins.store.officeppe.com/addinstemplate
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.cortana.ai
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.diagnostics.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.diagnosticssdf.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/feedback
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.diagnosticssdf.office.com/v2/file
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.microsoftstream.com/api/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.office.net
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.onedrive.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.powerbi.com/beta/myorg/imports
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/datasets
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.powerbi.com/v1.0/myorg/groups
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://api.scheduler.
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://apis.live.net/v5.0/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://arc.msn.com/v4/api/selection
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://asgsmsproxyapi.azurewebsites.net/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://augloop.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://augloop.office.com/v2
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://augloop.office.com;https://augloop-int.officeppe.com;https://augloop-dogfood.officeppe.com;h
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://autodiscover-s.outlook.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://autodiscover-s.outlook.com/autodiscover/autodiscover.xml
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://cdn.entity.
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/stat/images/OneDriveUpsell.png
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSignUpUpsell
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://cdn.odc.officeapps.live.com/odc/xml?resource=OneDriveSyncClientUpsell
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://client-office365-tas.msedge.net/ab
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://clients.config.office.net/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://clients.config.office.net/c2r/v1.0/InteractiveInstallation
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/android/policies
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/ios
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/mac
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://clients.config.office.net/user/v1.0/tenantassociationkey
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://cloudfiles.onenote.com/upload.aspx
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://config.edge.skype.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://config.edge.skype.com/config/v1/Office
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://config.edge.skype.com/config/v2/Office
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://cortana.ai
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://cortana.ai/api
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://cr.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://dataservice.o365filtering.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://dataservice.o365filtering.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://dataservice.o365filtering.com/PolicySync/PolicySync.svc/SyncFile
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPolicies
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://dev.cortana.ai
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://dev0-api.acompli.net/autodetect
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://devnull.onenote.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://directory.services.
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://ecs.office.com/config/v2/Office
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Refresh/v1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Resolve/v1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/Search/v1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/StockHistory/v1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/ipcheck/v1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/Metadata/metadata.json
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/desktop/main.cshtml
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://enrichment.osi.office.net/OfficeEnrichment/web/view/web/main.cshtml
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://entitlement.diagnostics.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://entitlement.diagnosticssdf.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://eur.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://excel.uservoice.com/forums/304936-excel-for-mobile-devices-tablets-phones-android
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://globaldisco.crm.dynamics.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://graph.ppe.windows.net
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://graph.ppe.windows.net/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://graph.windows.net
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://graph.windows.net/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/api/telemetry
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?cp=remix3d
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/browse?secureurl=1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=icons&premium=1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockimages&premium=1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsoftcontent?initpivot=stockvideos&premium=1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://hubblecontent.osi.office.net/contentsvc/microsofticon?
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://incidents.diagnostics.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://incidents.diagnosticssdf.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://inclient.store.office.com/gyro/client
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://inclient.store.office.com/gyro/clientstore
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=Immersive
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Bing
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=ClipArt
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Facebook
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=Flickr
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=OneDrive
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://insertmedia.bing.office.net/odc/insertmedia
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://invites.office.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/GetFreeformSpeech
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://learningtools.onenote.com/learningtoolsapi/v2.0/Getvoices
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://lifecycle.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://login.microsoftonline.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://login.windows-ppe.net/common/oauth2/authorize
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://login.windows.local
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://login.windows.net/72f988bf-86f1-41af-91ab-2d7cd011db47/oauth2/authorize
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://login.windows.net/common/oauth2/authorize
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://loki.delve.office.com/api/v1/configuration/officewin32/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://lookup.onenote.com/lookup/geolocation/v1
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://management.azure.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://management.azure.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://messaging.action.office.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://messaging.action.office.com/setcampaignaction
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://messaging.action.office.com/setuseraction16
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://messaging.engagement.office.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://messaging.engagement.office.com/campaignmetadataaggregator
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://messaging.lifecycle.office.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://messaging.lifecycle.office.com/getcustommessage16
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://messaging.office.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://metadata.templates.cdn.office.net/client/log
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://my.microsoftpersonalcontent.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicy
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeech
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://ncus.contentsync.
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://ncus.pagecontentsync.
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://o365auditrealtimeingestion.manage.office.com/api/userauditrecord
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://o365diagnosticsppe-web.cloudapp.net
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://ocos-office365-s2s.msedge.net/ab
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://ofcrecsvcapi-int.azurewebsites.net/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://officeapps.live.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://officeci.azurewebsites.net/api/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://officemobile.uservoice.com/forums/929800-office-app-ios-and-ipad-asks
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://officesetup.getmicrosoftkey.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://ogma.osi.office.net/TradukoApi/api/v1.0/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentities
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officeentitiesupdated
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentities
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://omex.cdn.office.net/addinclassifier/officesharedentitiesupdated
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://onedrive.live.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://onedrive.live.com/about/download/?windows10SyncClientInstalled=false
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://onedrive.live.com/embed?
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://osi.office.net
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://otelrules.azureedge.net
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://outlook.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://outlook.office.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://outlook.office.com/autosuggest/api/v1/init?cvid=
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://outlook.office365.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://outlook.office365.com/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://outlook.office365.com/api/v1.0/me/Activities
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://outlook.office365.com/autodiscover/autodiscover.json
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://ovisualuiapp.azurewebsites.net/pbiagave/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://pages.store.office.com/appshome.aspx?productgroup=Outlook
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://pages.store.office.com/review/query
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://pages.store.office.com/webapplandingpage.aspx
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://partnerservices.getmicrosoftkey.com/PartnerProvisioning.svc/v1/subscriptions
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.json
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://pf.directory.live.com/profile/mine/WLX.Profiles.IC.json
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://portal.office.com/account/?ref=ClientMeControl
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://posarprodcssservice.accesscontrol.windows.net/v2/OAuth2-13
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://powerlift-frontdesk.acompli.net
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://powerlift.acompli.net
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://powerpoint.uservoice.com/forums/288952-powerpoint-for-ipad-iphone-ios
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://prod-global-autodetect.acompli.net/autodetect
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://prod.mds.office.com/mds/api/v1.0/clientmodeldirectory
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://r4.res.office365.com/footprintconfig/v1.7/scripts/fpconfig.json
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://res.getmicrosoftkey.com/api/redemptionevents
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://roaming.edog.
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://rpsticket.partnerservices.getmicrosoftkey.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://settings.outlook.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://shell.suite.office.com:1443
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://skyapi.live.net/Activity/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://sr.outlook.office.net/ws/speech/recognize/assistant/work
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://staging.cortana.ai
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://storage.live.com/clientlogs/uploadlocation
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://store.office.cn/addinstemplate
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://store.office.de/addinstemplate
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://substrate.office.com/search/api/v1/SearchHistory
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://substrate.office.com/search/api/v2/init
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFile
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://tasks.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://uci.cdn.office.net/mirrored/smartlookup/current/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.desktop.html
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://uci.officeapps.live.com/OfficeInsights/web/views/insights.immersive.html
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://visio.uservoice.com/forums/368202-visio-on-devices
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://web.microsoftstream.com/video/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://webshell.suite.office.com
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://word.uservoice.com/forums/304948-word-for-ipad-iphone-ios
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://wus2.contentsync.
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://wus2.pagecontentsync.
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://www.bingapis.com/api/v7/urlpreview/search?appid=E93048236FE27D972F67C5AF722136866DF65FA2
          Source: C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drString found in binary or memory: https://www.odwebp.svc.ms

          System Summary

          barindex
          Document contains OLE streams which likely are hidden ActiveX objects
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docStream path '\x1Ole10Native' : ....a0v2H8.jar.C:\Users\MICROSOFT\AppData\Local\Mi
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_15912789
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_15913417
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_15912771
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_15906079
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docReversingLabs: Detection: 26%
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docVirustotal: Detection: 17%
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\SystemCertificates\CA
          Source: unknownProcess created: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE "C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\a0v2H8.jar"
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
          Source: C:\Windows\SysWOW64\icacls.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic CPU get ProcessorId
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic bios get serialnumber
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get name
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get UUID
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ver
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\a0v2H8.jar"
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic CPU get ProcessorId
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic bios get serialnumber
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get name
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get UUID
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ver
          Source: C:\Windows\SysWOW64\cmd.exeProcess created: C:\Windows\System32\conhost.exe C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Windows\splwow64.exe C:\Windows\splwow64.exe 12288
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\a0v2H8.jar"
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess created: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe "C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\a0v2H8.jar"
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic CPU get ProcessorId
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic bios get serialnumber
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get name
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get UUID
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ver
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic CPU get ProcessorId
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic bios get serialnumber
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get name
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get UUID
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ver
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeKey value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4590F811-1D3A-11D0-891F-00AA004B2E24}\InprocServer32
          Source: 12-09-2022 S.LNK.0.drLNK file: ..\..\..\..\..\Desktop\12-09-2022 S#U0130PAR#U0130#U015e.docx.doc
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6328:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6188:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6592:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6412:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6108:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6124:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6172:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6388:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6476:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:6536:120:WilError_01
          Source: C:\Windows\System32\conhost.exeMutant created: \Sessions\1\BaseNamedObjects\Local\SM0:968:120:WilError_01
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docOLE indicator, Word Document stream: true
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM WIN32_PROCESSOR
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM WIN32_PROCESSOR
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.WordJump to behavior
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile created: C:\Users\user\AppData\Local\Temp\{5CC3E825-F709-4DD0-BB2B-0593311557CB} - OProcSessId.datJump to behavior
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeSection loaded: C:\Program Files (x86)\Java\jre1.8.0_211\bin\client\jvm.dll
          Source: classification engineClassification label: mal80.troj.expl.evad.winDOC@40/10@0/0
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docOLE document summary: title field not present or empty
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile read: C:\Users\desktop.iniJump to behavior
          Source: Window RecorderWindow detected: More than 3 window changes detected
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docInitial sample: OLE zip file path = word/media/image3.emf
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEKey opened: HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\LanguageResources\EnabledEditingLanguages
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEFile opened: C:\Windows\SysWOW64\MSVCR100.dll
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docInitial sample: OLE indicators vbamacros = False
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_1596F00A push B01596F0h; ret
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_159748D4 push 5C939D70h; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_15974947 push 5C939D70h; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_159743E0 push 0000006Ah; iretd
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_1590B7E4 push eax; iretd
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_1590CF2F push eax; iretd
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DAD877 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DAB377 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DABB27 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DAD860 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DAA1DB push ecx; ret
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DAA1CA push ecx; ret
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DAB907 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DAC437 push 00000000h; mov dword ptr [esp], esp
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DB2D44 push eax; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02E4F634 push eax; retf 0002h
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02E4E0DD push ebx; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02E4E0D8 push ebx; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02E4A44E push 00090081h; retn 0005h
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02E4E17B push cs; retf
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: FAILCRITICALERRORS | NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXEProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\splwow64.exeProcess information set: NOALIGNMENTFAULTEXCEPT | NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeProcess information set: NOOPENFILEERRORBOX
          Source: 12-09-2022 S#U0130PAR#U0130#U015e.docx.docStream path '\x1Ole10Native' entropy: 7.99740193304 (max. 8.0)

          Malware Analysis System Evasion

          barindex
          Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines)
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BIOS
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT SerialNumber FROM Win32_BIOS
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 13_3_15912360 sldt word ptr [eax]
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM WIN32_PROCESSOR
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT ProcessorId FROM WIN32_PROCESSOR
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_ComputerSystemProduct
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT Name FROM Win32_ComputerSystemProduct
          Source: C:\Windows\SysWOW64\wbem\WMIC.exeWMI Queries: IWbemServices::ExecQuery - ROOT\CIMV2 : SELECT UUID FROM Win32_ComputerSystemProduct
          Source: C:\Windows\splwow64.exeThread delayed: delay time: 120000
          Source: javaw.exe, 0000001D.00000003.351377071.00000000152FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
          Source: javaw.exe, 0000001D.00000003.351377071.00000000152FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: &com/sun/corba/se/impl/util/SUNVMCID.classPK
          Source: javaw.exe, 0000001D.00000002.389760370.0000000002C10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: ,java/lang/VirtualMachineError
          Source: javaw.exe, 0000001D.00000002.389760370.0000000002C10000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: |[Ljava/lang/VirtualMachineError;
          Source: javaw.exe, 0000001D.00000003.351377071.00000000152FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: org/omg/CORBA/OMGVMCID.classPK
          Source: javaw.exe, 0000000D.00000003.304711642.0000000014F14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000003.351377071.00000000152FE000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: java/lang/VirtualMachineError.classPK
          Source: javaw.exe, 0000000D.00000002.337796781.0000000000C60000.00000004.00000800.00020000.00000000.sdmpBinary or memory string: 2[Ljava/lang/VirtualMachineError;
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeMemory protected: page read and write | page guard
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\icacls.exe C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic CPU get ProcessorId
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic bios get serialnumber
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get name
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get UUID
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ver
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic CPU get ProcessorId
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic bios get serialnumber
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get name
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\wbem\WMIC.exe wmic csproduct get UUID
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeProcess created: C:\Windows\SysWOW64\cmd.exe cmd.exe /c ver
          Source: C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exeCode function: 29_2_02DA0380 cpuid

          Stealing of Sensitive Information

          barindex
          Yara detected AdWind RAT
          Source: Yara matchFile source: 0000001D.00000002.391533154.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.339042980.000000000458C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 4196, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 6860, type: MEMORYSTR

          Remote Access Functionality

          barindex
          Yara detected AdWind RAT
          Source: Yara matchFile source: 0000001D.00000002.391533154.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: 0000000D.00000002.339042980.000000000458C000.00000004.00000800.00020000.00000000.sdmp, type: MEMORY
          Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 4196, type: MEMORYSTR
          Source: Yara matchFile source: Process Memory Space: javaw.exe PID: 6860, type: MEMORYSTR

          Mitre Att&ck Matrix

          Initial AccessExecutionPersistencePrivilege EscalationDefense EvasionCredential AccessDiscoveryLateral MovementCollectionExfiltrationCommand and ControlNetwork EffectsRemote Service EffectsImpact
          Valid Accounts121
          Windows Management Instrumentation          		1
          Services File Permissions Weakness          		11
          Process Injection          		1
          Masquerading          		OS Credential Dumping21
          Security Software Discovery          		Remote Services1
          Archive Collected Data          		Exfiltration Over Other Network Medium1
          Encrypted Channel          		Eavesdrop on Insecure Network CommunicationRemotely Track Device Without AuthorizationModify System Partition
          Default Accounts2
          Exploitation for Client Execution          		Boot or Logon Initialization Scripts1
          Services File Permissions Weakness          		1
          Disable or Modify Tools          		LSASS Memory31
          Virtualization/Sandbox Evasion          		Remote Desktop ProtocolData from Removable MediaExfiltration Over BluetoothJunk DataExploit SS7 to Redirect Phone Calls/SMSRemotely Wipe Data Without AuthorizationDevice Lockout
          Domain AccountsAt (Linux)Logon Script (Windows)Logon Script (Windows)31
          Virtualization/Sandbox Evasion          		Security Account Manager1
          File and Directory Discovery          		SMB/Windows Admin SharesData from Network Shared DriveAutomated ExfiltrationSteganographyExploit SS7 to Track Device LocationObtain Device Cloud BackupsDelete Device Data
          Local AccountsAt (Windows)Logon Script (Mac)Logon Script (Mac)11
          Process Injection          		NTDS123
          System Information Discovery          		Distributed Component Object ModelInput CaptureScheduled TransferProtocol ImpersonationSIM Card SwapCarrier Billing Fraud
          Cloud AccountsCronNetwork Logon ScriptNetwork Logon Script11
          Obfuscated Files or Information          		LSA SecretsRemote System DiscoverySSHKeyloggingData Transfer Size LimitsFallback ChannelsManipulate Device CommunicationManipulate App Store Rankings or Ratings
          Replication Through Removable MediaLaunchdRc.commonRc.common1
          Services File Permissions Weakness          		Cached Domain CredentialsSystem Owner/User DiscoveryVNCGUI Input CaptureExfiltration Over C2 ChannelMultiband CommunicationJamming or Denial of ServiceAbuse Accessibility Features

          Behavior Graph

          Hide Legend

          Legend:

          • Process
          • Signature
          • Created File
          • DNS/IP Info
          • Is Dropped
          • Is Windows Process
          • Number of created Registry Values
          • Number of created Files
          • Visual Basic
          • Delphi
          • Java
          • .Net C# or VB.NET
          • C, C++ or other language
          • Is malicious
          • Internet
          behaviorgraph top1 signatures2 2 Behavior Graph ID: 701320 Sample: 12-09-2022 S#U0130PAR#U0130... Startdate: 12/09/2022 Architecture: WINDOWS Score: 80 55 Document contains OLE streams which likely are hidden ActiveX objects 2->55 57 Multi AV Scanner detection for submitted file 2->57 59 Yara detected AdWind RAT 2->59 61 Document exploit detected (process start blacklist hit) 2->61 8 WINWORD.EXE 47 43 2->8         started        process3 file4 53 C:\Users\user\AppData\Local\Temp\a0v2H8.jar, Zip 8->53 dropped 65 Document exploit detected (creates forbidden files) 8->65 12 javaw.exe 4 8->12         started        14 javaw.exe 2 8->14         started        16 splwow64.exe 8->16         started        signatures5 process6 process7 18 WMIC.exe 1 12->18         started        21 WMIC.exe 1 12->21         started        23 WMIC.exe 1 12->23         started        31 3 other processes 12->31 25 WMIC.exe 14->25         started        27 WMIC.exe 14->27         started        29 WMIC.exe 14->29         started        33 2 other processes 14->33 signatures8 63 Queries sensitive BIOS Information (via WMI, Win32_Bios & Win32_BaseBoard, often done to detect virtual machines) 18->63 35 conhost.exe 18->35         started        37 conhost.exe 21->37         started        39 conhost.exe 23->39         started        41 conhost.exe 25->41         started        43 conhost.exe 27->43         started        45 conhost.exe 29->45         started        47 conhost.exe 31->47         started        49 2 other processes 31->49 51 2 other processes 33->51 process9

          Screenshots

          Thumbnails

          This section contains all screenshots as thumbnails, including those not shown in the slideshow.


          windows-stand

          Antivirus, Machine Learning and Genetic Malware Detection

          Initial Sample

          SourceDetectionScannerLabelLink
          12-09-2022 S#U0130PAR#U0130#U015e.docx.doc27%ReversingLabsByteCode-JAVA.Downloader.BanLoad
          12-09-2022 S#U0130PAR#U0130#U015e.docx.doc17%VirustotalBrowse

          Dropped Files

          No Antivirus matches

          Unpacked PE Files

          No Antivirus matches

          Domains

          No Antivirus matches

          URLs

          SourceDetectionScannerLabelLink
          http://java.sun.com/xml/dom/properties/(0%URL Reputationsafe
          http://java.sun.com/xml/dom/properties/(0%URL Reputationsafe
          https://cdn.entity.0%URL Reputationsafe
          https://rpsticket.partnerservices.getmicrosoftkey.com0%URL Reputationsafe
          https://api.aadrm.com/0%URL Reputationsafe
          http://java.sun.com/xml/dom/properties/0%URL Reputationsafe
          https://res.getmicrosoftkey.com/api/redemptionevents0%URL Reputationsafe
          https://officeci.azurewebsites.net/api/0%URL Reputationsafe
          https://my.microsoftpersonalcontent.com0%URL Reputationsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          https://store.office.cn/addinstemplate0%URL Reputationsafe
          http://bugreport.sun.com/bugreport/0%URL Reputationsafe
          https://www.odwebp.svc.ms0%URL Reputationsafe
          https://api.addins.store.officeppe.com/addinstemplate0%URL Reputationsafe
          http://javax.xml.XMLConstants/property/accessExternalDTD;0%URL Reputationsafe
          https://ncus.contentsync.0%URL Reputationsafe
          http://java.sun.com/xml/dom/properties/ancestor-check0%URL Reputationsafe
          https://wus2.contentsync.0%URL Reputationsafe
          http://java.sun.com/xml/stream/properties/ignore-external-dtdkin0%Avira URL Cloudsafe
          http://java.sun.com/dtd/properties.dtd#0%Avira URL Cloudsafe
          http://java.sun.com/xml/stream/properties/60%Avira URL Cloudsafe
          http://java.sun.com/xml/stream/properties/S0%Avira URL Cloudsafe
          http://java.sun.com/dtd/properties.dtdS0%Avira URL Cloudsafe
          http://java.sun.com/dtd/properties.dtdc0%Avira URL Cloudsafe
          http://java.sun.com/dtd/properties.dtd#0%VirustotalBrowse
          http://java.sun.com/dtd/properties.dtdS0%VirustotalBrowse
          http://javax.xml.XMLConstants/property/accessExternalSchemak0%Avira URL Cloudsafe
          http://java.sun.com/xml/dom/properties/ancestor-checkour0%Avira URL Cloudsafe

          Domains and IPs

          Contacted Domains

          No contacted domains info

          URLs from Memory and Binaries

          NameSourceMaliciousAntivirus DetectionReputation
          http://java.sun.com/xml/dom/properties/(javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
          • URL Reputation: safe
          • URL Reputation: safe
          		unknown
          http://apache.org/xml/features/validation/schema/augment-psvijavaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
            		high
            https://shell.suite.office.com:1443C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
              		high
              http://xml.org/sax/features/use-entity-resolver2Sjavaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                		high
                http://apache.org/xml/properties/input-buffer-sizejavaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                  		high
                  https://autodiscover-s.outlook.com/C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                    		high
                    https://insertmedia.bing.office.net/images/officeonlinecontent/browse?cp=FlickrC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                      		high
                      https://cdn.entity.C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                      • URL Reputation: safe
                      		unknown
                      https://dev.virtualearth.net/REST/V1/GeospatialEndpoint/C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                        		high
                        https://rpsticket.partnerservices.getmicrosoftkey.comC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                        • URL Reputation: safe
                        		unknown
                        http://apache.org/xml/properties/internal/document-scanner=javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                          		high
                          https://lookup.onenote.com/lookup/geolocation/v1C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                            		high
                            http://java.sun.com/dtd/properties.dtdSjavaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                            • 0%, Virustotal, Browse
                            • Avira URL Cloud: safe
                            		unknown
                            http://apache.org/xml/properties/schema/external-schemaLocation(javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpfalse
                              		high
                              http://apache.org/xml/features/standard-uri-conformantxe2javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmpfalse
                                		high
                                http://apache.org/xml/properties/internal/entity-managerjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                  		high
                                  http://apache.org/xml/properties/internal/symbol-tableQjavaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                    		high
                                    https://syncservice.protection.outlook.com/PolicySync/PolicySync.svc/SyncFileC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                      		high
                                      http://apache.org/xml/features/internal/parser-settingsjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                        		high
                                        https://na01.oscs.protection.outlook.com/api/SafeLinksApi/GetPolicyC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                          		high
                                          http://apache.org/xml/features/dom/include-ignorable-whitespacejavaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                            		high
                                            http://apache.org/xml/properties/internal/document-scanner7javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                              		high
                                              https://api.aadrm.com/C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://java.sun.com/xml/dom/properties/javaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392231726.00000000050F0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                              • URL Reputation: safe
                                              		unknown
                                              http://apache.org/xml/properties/internal/stax-entity-resolverjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                		high
                                                http://xml.org/sax/features/namespacessZjavaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                  		high
                                                  http://xml.org/sax/properties/3javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    		high
                                                    http://java.sun.com/dtd/properties.dtd#javaw.exe, 0000001D.00000002.392184518.00000000050DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                    • 0%, Virustotal, Browse
                                                    • Avira URL Cloud: safe
                                                    		unknown
                                                    http://apache.org/xml/features/3javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                      		high
                                                      http://apache.org/xml/properties/internal/symbol-table#javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                        		high
                                                        http://apache.org/xml/features/xinclude/fixup-base-urisjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                          		high
                                                          http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocationjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                            		high
                                                            https://dataservice.protection.outlook.com/PsorWebService/v1/ClientSyncFile/MipPoliciesC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                              		high
                                                              http://apache.org/xml/properties/internal/error-reporterjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                		high
                                                                https://api.microsoftstream.com/api/C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                  		high
                                                                  https://insertmedia.bing.office.net/images/hosted?host=office&adlt=strict&hostType=ImmersiveC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                    		high
                                                                    https://cr.office.comC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                      		high
                                                                      http://apache.org/xml/properties/security-managerkjavaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        		high
                                                                        http://java.sun.com/xml/stream/properties/ignore-external-dtdkinjavaw.exe, 0000000D.00000003.320744023.0000000000D14000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338103470.0000000000D21000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                        • Avira URL Cloud: safe
                                                                        		unknown
                                                                        http://xml.org/sax/properties/(javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                          		high
                                                                          http://apache.org/xml/features/include-commentsjavaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                            		high
                                                                            http://apache.org/xml/features/scanner/notify-char-refsjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              		high
                                                                              http://java.sun.com/xml/stream/properties/Sjavaw.exe, 0000000D.00000002.339465052.00000000046EF000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                              • Avira URL Cloud: safe
                                                                              		unknown
                                                                              https://res.getmicrosoftkey.com/api/redemptioneventsC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                              • URL Reputation: safe
                                                                              		unknown
                                                                              http://apache.org/xml/properties/dom/current-element-node9javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                		high
                                                                                https://tasks.office.comC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                  		high
                                                                                  http://apache.org/xml/features/disallow-doctype-declxcepjavaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                    		high
                                                                                    https://officeci.azurewebsites.net/api/C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                    • URL Reputation: safe
                                                                                    		unknown
                                                                                    http://apache.org/xml/features/validation/schema/normalized-valueBjavaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                      		high
                                                                                      http://xml.org/sax/features/allow-dtd-events-after-endDTD#Yjavaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                        		high
                                                                                        https://my.microsoftpersonalcontent.comC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                        • URL Reputation: safe
                                                                                        		unknown
                                                                                        http://apache.org/xml/features/continue-after-fatal-errorjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                          		high
                                                                                          http://apache.org/xml/features/scanner/notify-builtin-refsKjavaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                            		high
                                                                                            http://apache.org/xml/features/standard-uri-conformantjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                              		high
                                                                                              http://apache.org/xml/properties/internal/document-scannerjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                		high
                                                                                                https://store.office.cn/addinstemplateC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                • URL Reputation: safe
                                                                                                • URL Reputation: safe
                                                                                                		unknown
                                                                                                http://apache.org/xml/properties/internal/datatype-validator-factoryhjavaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                  		high
                                                                                                  https://messaging.engagement.office.com/C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                    		high
                                                                                                    http://bugreport.sun.com/bugreport/javaw.exe, 0000000D.00000002.340218954.0000000009957000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394021383.000000000A356000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                    • URL Reputation: safe
                                                                                                    		unknown
                                                                                                    https://nam.learningtools.onenote.com/learningtoolsapi/v2.0/getfreeformspeechC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                      		high
                                                                                                      http://java.oracle.com/javaw.exe, 0000000D.00000002.340231812.000000000995F000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394053423.000000000A35D000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                        		high
                                                                                                        https://www.odwebp.svc.msC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                        • URL Reputation: safe
                                                                                                        		unknown
                                                                                                        http://apache.org/xml/features/javaw.exe, 0000000D.00000002.340435134.00000000099FB000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                          		high
                                                                                                          https://api.powerbi.com/v1.0/myorg/groupsC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                            		high
                                                                                                            https://web.microsoftstream.com/video/C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                              		high
                                                                                                              http://apache.org/xml/features/generate-synthetic-annotationsjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                		high
                                                                                                                https://api.addins.store.officeppe.com/addinstemplateC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                • URL Reputation: safe
                                                                                                                		unknown
                                                                                                                http://java.sun.com/xml/stream/properties/6javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                • Avira URL Cloud: safe
                                                                                                                		unknown
                                                                                                                https://graph.windows.netC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                  		high
                                                                                                                  http://apache.org/xml/properties/internal/datatype-validator-factoryC.javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                    		high
                                                                                                                    http://xml.org/sax/features/allow-dtd-events-after-endDTDjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                      		high
                                                                                                                      http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-onlyjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                        		high
                                                                                                                        http://apache.org/xml/features/validate-annotations3javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          		high
                                                                                                                          http://java.sun.com/dtd/properties.dtdcjavaw.exe, 0000000D.00000002.339418652.00000000046DE000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                          • Avira URL Cloud: safe
                                                                                                                          		unknown
                                                                                                                          https://learningtools.onenote.com/learningtoolsapi/v2.0/GetvoicesC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                            		high
                                                                                                                            http://apache.org/xml/features/sjavaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                              		high
                                                                                                                              http://apache.org/xml/properties/internal/namespace-binderjavaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                		high
                                                                                                                                http://apache.org/xml/properties/internal/namespace-binder39javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                  		high
                                                                                                                                  https://pf.directory.live.com/profile/mine/System.ShortCircuitProfile.jsonC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                    		high
                                                                                                                                    http://apache.org/xml/properties/dom/current-element-nodemjavaw.exe, 0000000D.00000003.320291966.00000000158DD000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320060542.00000000158D6000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342740838.00000000158E9000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      		high
                                                                                                                                      http://javax.xml.XMLConstants/property/accessExternalDTD;javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      https://ncus.contentsync.C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                      • URL Reputation: safe
                                                                                                                                      		unknown
                                                                                                                                      http://xml.org/sax/features/allow-dtd-events-after-endDTDw=javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                        		high
                                                                                                                                        https://webdir.online.lync.com/autodiscover/autodiscoverservice.svc/root/C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                          		high
                                                                                                                                          http://apache.org/xml/properties/security-managerjavaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.393476612.00000000052A2000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                            		high
                                                                                                                                            http://weather.service.msn.com/data.aspxC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                              		high
                                                                                                                                              http://java.sun.com/xml/dom/properties/ancestor-checkjavaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339418652.00000000046DE000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.399242595.0000000015340000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392184518.00000000050DD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                              • URL Reputation: safe
                                                                                                                                              		unknown
                                                                                                                                              https://word.uservoice.com/forums/304948-word-for-ipad-iphone-iosC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                                		high
                                                                                                                                                http://java.sun.com/xml/dom/properties/ancestor-checkourjavaw.exe, 0000000D.00000002.342562072.00000000158A0000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320466091.00000000158A1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320663164.00000000158B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                • Avira URL Cloud: safe
                                                                                                                                                		unknown
                                                                                                                                                http://apache.org/xml/features/validation/balance-syntax-trees1javaw.exe, 0000000D.00000003.320030158.0000000015939000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000003.320240879.000000001593B000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.342933460.0000000015952000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                  		high
                                                                                                                                                  https://autodiscover-s.outlook.com/autodiscover/autodiscover.xmlC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                                    		high
                                                                                                                                                    http://apache.org/xml/properties/internal/xinclude-handler=javaw.exe, 0000001D.00000002.400679296.00000000153CD000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      		high
                                                                                                                                                      https://wus2.contentsync.C084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                                      • URL Reputation: safe
                                                                                                                                                      		unknown
                                                                                                                                                      http://javax.xml.XMLConstants/property/accessExternalSchemakjavaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                      • Avira URL Cloud: safe
                                                                                                                                                      		unknown
                                                                                                                                                      https://clients.config.office.net/user/v1.0/iosC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                                        		high
                                                                                                                                                        http://apache.org/xml/features/create-cdata-nodes:javaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                          		high
                                                                                                                                                          http://apache.org/xml/features/xincludejavaw.exe, 0000000D.00000003.320693354.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339989862.000000000489E000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000000D.00000002.338079307.0000000000D07000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.394548246.000000000A3F3000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.392078517.00000000050B1000.00000004.00000800.00020000.00000000.sdmp, javaw.exe, 0000001D.00000002.402461340.0000000015414000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                            		high
                                                                                                                                                            https://o365auditrealtimeingestion.manage.office.comC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                                              		high
                                                                                                                                                              https://outlook.office365.com/api/v1.0/me/ActivitiesC084E00E-2C37-4DA2-8B52-BBC9C24B7D11.0.drfalse
                                                                                                                                                                		high
                                                                                                                                                                http://apache.org/xml/properties/input-buffer-sizecjavaw.exe, 0000000D.00000002.339346371.00000000046B1000.00000004.00000800.00020000.00000000.sdmpfalse
                                                                                                                                                                  		high

                                                                                                                                                                  World Map of Contacted IPs

                                                                                                                                                                  No contacted IP infos

                                                                                                                                                                  General Information

                                                                                                                                                                  Joe Sandbox Version:36.0.0 Rainbow Opal
                                                                                                                                                                  Analysis ID:701320
                                                                                                                                                                  Start date and time:2022-09-12 13:52:13 +02:00
                                                                                                                                                                  Joe Sandbox Product:CloudBasic
                                                                                                                                                                  Overall analysis duration:0h 7m 46s
                                                                                                                                                                  Hypervisor based Inspection enabled:false
                                                                                                                                                                  Report type:light
                                                                                                                                                                  Sample file name:12-09-2022 S#U0130PAR#U0130#U015e.docx.doc
                                                                                                                                                                  Cookbook file name:defaultwindowsofficecookbook.jbs
                                                                                                                                                                  Analysis system description:Windows 10 64 bit v1803 with Office Professional Plus 2016, Chrome 104, IE 11, Adobe Reader DC 19, Java 8 Update 211
                                                                                                                                                                  Run name:Potential for more IOCs and behavior
                                                                                                                                                                  Number of analysed new started processes analysed:46
                                                                                                                                                                  Number of new started drivers analysed:0
                                                                                                                                                                  Number of existing processes analysed:0
                                                                                                                                                                  Number of existing drivers analysed:0
                                                                                                                                                                  Number of injected processes analysed:0
                                                                                                                                                                  Technologies:
                                                                                                                                                                  • HCA enabled
                                                                                                                                                                  • EGA enabled
                                                                                                                                                                  • HDC enabled
                                                                                                                                                                  • AMSI enabled
                                                                                                                                                                  Analysis Mode:default
                                                                                                                                                                  Analysis stop reason:Timeout
                                                                                                                                                                  Detection:MAL
                                                                                                                                                                  Classification:mal80.troj.expl.evad.winDOC@40/10@0/0
                                                                                                                                                                  EGA Information:
                                                                                                                                                                  • Successful, ratio: 50%
                                                                                                                                                                  HDC Information:Failed
                                                                                                                                                                  HCA Information:
                                                                                                                                                                  • Successful, ratio: 82%
                                                                                                                                                                  • Number of executed functions: 0
                                                                                                                                                                  • Number of non-executed functions: 0
                                                                                                                                                                  Cookbook Comments:
                                                                                                                                                                  • Found application associated with file extension: .doc
                                                                                                                                                                  • Found Word or Excel or PowerPoint or XPS Viewer
                                                                                                                                                                  • Attach to Office via COM
                                                                                                                                                                  • Active ActiveX Object
                                                                                                                                                                  • Scroll down
                                                                                                                                                                  • Close Viewer

                                                                                                                                                                  Warnings

                                                                                                                                                                  • Exclude process from analysis (whitelisted): MpCmdRun.exe, BackgroundTransferHost.exe, backgroundTaskHost.exe, SgrmBroker.exe, conhost.exe, svchost.exe
                                                                                                                                                                  • Excluded IPs from analysis (whitelisted): 52.109.88.191, 52.109.12.22, 52.109.76.33
                                                                                                                                                                  • Excluded domains from analysis (whitelisted): ris.api.iris.microsoft.com, client.wns.windows.com, fs.microsoft.com, prod-w.nexus.live.com.akadns.net, config.officeapps.live.com, prod.configsvc1.live.com.akadns.net, ctldl.windowsupdate.com, nexus.officeapps.live.com, officeclient.microsoft.com, img-prod-cms-rt-microsoft-com.akamaized.net, arc.msn.com, europe.configsvc1.live.com.akadns.net
                                                                                                                                                                  • Execution Graph export aborted for target javaw.exe, PID 4196 because there are no executed function
                                                                                                                                                                  • Not all processes where analyzed, report is missing behavior information
                                                                                                                                                                  • Report size exceeded maximum capacity and may have missing behavior information.
                                                                                                                                                                  • Report size getting too big, too many NtCreateFile calls found.
                                                                                                                                                                  • Report size getting too big, too many NtOpenFile calls found.
                                                                                                                                                                  • Report size getting too big, too many NtProtectVirtualMemory calls found.
                                                                                                                                                                  • Report size getting too big, too many NtQueryAttributesFile calls found.
                                                                                                                                                                  • Report size getting too big, too many NtSetInformationFile calls found.

                                                                                                                                                                  Simulations

                                                                                                                                                                  Behavior and APIs

                                                                                                                                                                  TimeTypeDescription
                                                                                                                                                                  13:53:27API Interceptor14x Sleep call for process: splwow64.exe modified
                                                                                                                                                                  13:53:38API Interceptor8x Sleep call for process: WMIC.exe modified

                                                                                                                                                                  Joe Sandbox View / Context

                                                                                                                                                                  IPs

                                                                                                                                                                  No context

                                                                                                                                                                  Domains

                                                                                                                                                                  No context

                                                                                                                                                                  ASNs

                                                                                                                                                                  No context

                                                                                                                                                                  JA3 Fingerprints

                                                                                                                                                                  No context

                                                                                                                                                                  Dropped Files

                                                                                                                                                                  No context

                                                                                                                                                                  Created / dropped Files

                                                                                                                                                                  C:\ProgramData\Oracle\Java\.oracle_jre_usage\cce3fe3b0d8d83e2.timestamp

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):57
                                                                                                                                                                  Entropy (8bit):4.826151803897123
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:oFj4I5vpN6yUfTV2v:oJ5X6yIe
                                                                                                                                                                  MD5:1D4851354D6D15063CE0B7FA2B10CA6A
                                                                                                                                                                  SHA1:0C62F123179F13892B7A760C99B2821E442468B4
                                                                                                                                                                  SHA-256:B85443E1B38F4784D86442A9EDEF76FCDCEC086385C934F219AEADDA6CAC01E4
                                                                                                                                                                  SHA-512:E8C2F11B4BC4E1160B61771FF054F06D31479B881AE8ED7EFB65FD8DF264A9CA76AF379ECCA4DB5904110F95A76D7961AD01EF01C84AFB1D3E253C2E86887089
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:C:\Program Files (x86)\Java\jre1.8.0_211..1663016039787..

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Office\16.0\WebServiceCache\AllUsers\officeclient.microsoft.com\C084E00E-2C37-4DA2-8B52-BBC9C24B7D11

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:XML 1.0 document, UTF-8 Unicode text, with very long lines, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):147875
                                                                                                                                                                  Entropy (8bit):5.3583959375539045
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:wcQW/gxgB5BQguw//Q9DQe+zQhk4F77nXmvid3XRVEoLcL61:jHQ9DQe+zWX4O
                                                                                                                                                                  MD5:5F77A91B68449A8CF79EA416AF1DEDDB
                                                                                                                                                                  SHA1:5DBDCDF20A9C1725777153D186080D55F90C07DE
                                                                                                                                                                  SHA-256:00B2FE53C1B4754D20C334F39ED07366CDEAF0D1EFAE12526C0181AA6355C902
                                                                                                                                                                  SHA-512:6B135252F6159347EA121022156297B93D32AB7CE4E212BB45A40BC53A44324D2FB2370B83C5BCB564890E7F67FB17CF983A12AE56D80A021994EEC04311429E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:<?xml version="1.0" encoding="utf-8"?>..<o:OfficeConfig xmlns:o="urn:schemas-microsoft-com:office:office">.. <o:services o:GenerationTime="2022-09-12T11:53:07">.. Build: 16.0.15705.30525-->.. <o:default>.. <o:ticket o:headerName="Authorization" o:headerValue="{}" />.. </o:default>.. <o:service o:name="Research">.. <o:url>https://rr.office.microsoft.com/research/query.asmx</o:url>.. </o:service>.. <o:service o:name="ORedir">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ORedirSSL">.. <o:url>https://o15.officeredir.microsoft.com/r</o:url>.. </o:service>.. <o:service o:name="ClViewClientHelpId">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientHome">.. <o:url>https://[MAX.BaseHost]/client/results</o:url>.. </o:service>.. <o:service o:name="ClViewClientTemplate">.. <o:url>https://ocsa.office.microsoft.com/client/15/help/template</o:url>.. </o:service>.. <o:

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\6B8F5552.emf

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:Windows Enhanced Metafile (EMF) image data version 0x10000
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):5464
                                                                                                                                                                  Entropy (8bit):0.8660964834720057
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:12:YaFmecr6gSbfMqH18JM8XqVlwcb1KCu6Tj/4KCJfBoWLBzbmYXi6UgoemYJ:Ya0r6gSbfm/qVuCREkWLB+B6Ug4y
                                                                                                                                                                  MD5:C2D8244DD18F565035212FC52D3F4E75
                                                                                                                                                                  SHA1:8C85DDF7655242B178D77F7BEB81D2E3BEB9F35B
                                                                                                                                                                  SHA-256:89CB85E37E9623CD2B091B539C6E1280AA39E21CF7B6B0A54F5FDA180A197B98
                                                                                                                                                                  SHA-512:4EBA9EC61253B67231E854906AEA3DB0D37276ED9A7034661781612C5D69A41B8917ABEC40FACD9A2C6A4A3CD2220019A360B9AF6F01F52C118658C52D81324C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:....l...#.......B... ................... EMF....X.......................V.......i..................................................M...$...#.......B... ...#....... ... ..................?...........?................l...0........... ... ...(... ..."...............................................................................................................................................................................M.......#.......B... ...#....... ... ...F.f............?...........?................l...4........... ... ...(... ... ..... .....................................................................................................................................................................................................................................................................................................................................................................................................................................................................

                                                                                                                                                                  C:\Users\user\AppData\Local\Microsoft\Windows\INetCache\Content.MSO\E748012B.png

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:PNG image data, 706 x 366, 8-bit/color RGBA, non-interlaced
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):68893
                                                                                                                                                                  Entropy (8bit):7.903401375792054
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:1536:BsvJG1S1KOhGCAZmweGEjZv9mX+DZL8mI2dEN2vT4q+b:OvJM0AZUr1v9BZQOsq+b
                                                                                                                                                                  MD5:94C3E4696F04CB7960042417CF39FE07
                                                                                                                                                                  SHA1:EC45840F87B3AC5812F9CE765CD398AEEB2A659C
                                                                                                                                                                  SHA-256:A1566D12B7BEE123511040635AE34D71E23AE1F73706347EB5926A61AB72BDB7
                                                                                                                                                                  SHA-512:8FBDE178BA6DFD021B9E43CA6ADC205F6AB8939E6FE93807C20E9FA8D808DFED1E13D4EE485A3B13932452070FABA749E83EF7795A70F1A75B26081C86C399DA
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.PNG........IHDR.......n......$~.....sRGB.........gAMA......a.....pHYs..........o.d....IDATx^.....%|..K?.k...f..eU/U.......RR.D..8...N.8.$@. .. @..<..D &L...o...[..#B....e..?...a....q...v...;..~.f..........3w8s+xe.Bpbz4."8>v...M./.N.Go..^...^.q3xi.w.,.]...:.........D...T.B.~.......r.....e..0.]M8:......uF.L,('...NO..^.<.......t-x... .6..s..W......t.V/o.^...t.t}....+A....V......&n...52..z.....>.:..y}&x........sg.....#Amv/.w/.N..z.......N...P{....qk...qld..m..}^.0........c....zqix...`.....C.....>6..w.5....^;.....`...t....^.mh\nN..u..E.:^\\.....q.>...0>:..p.J..p..e.igV..t..w.......>.............Pk.Z..Z...K=..pl.r...^O....H.....[S.K.....S..S....9}..gN..N]...5.;..L.^..<z$..>.v...^.e..._..~......t.....[.................9..j...+=.2.....#..7'....{;.NO].....,.H...q..^....8W..0o.{.....;....|..x...r..#...w.S7o...=.t...=.6.^...c...O_8.....^..tC...7z?$f..g....?.t..^4.^...:.....O....,..q.f..g.:..{.2...W/.G....9....:r.m..#=.<K..s}...n..<q.dp

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\a0v2H8.jar

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:Zip archive data, at least v2.0 to extract
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):164473
                                                                                                                                                                  Entropy (8bit):7.998227410119545
                                                                                                                                                                  Encrypted:true
                                                                                                                                                                  SSDEEP:3072:nHtZMJGepfzX0wzh3ai4MhIcm3o9wpqmkAiye3Y6/tocHRXiIsWckuHvDdbFjW0V:nHtmJnbEwVak+5BoY6/KcWbog
                                                                                                                                                                  MD5:5FCE04720A34D47CE0D474F4571AE901
                                                                                                                                                                  SHA1:66F0FF1759880EE5AFC62968A4D135743A4B6888
                                                                                                                                                                  SHA-256:8CB74BD01205DF1E777CC8C1A343AA65287909CD72AA7B8388F4C32024DCE624
                                                                                                                                                                  SHA-512:6F0E3D750EFEB829E9CA00180AC0EF64B39A86A2B6BC6B087E917D65E89248EAB4CDB91EB2E81EF1144E799CB7186A26E947CB89044D3AD80A9606C600075EF7
                                                                                                                                                                  Malicious:true
                                                                                                                                                                  Preview:PK.........+U....~...........META-INF/MANIFEST.MF.M..LK-...K-*...R0.3..r.C.q,HL.HU...%...,x..s...u..K2.........].J.v.=.xc.C.$.K......T..........y..\...y.`#..|.|.r.3..<y.x..PK.........+U;EC..@...r......uBT1nphWVB.class.}.\TG.xu..f.`f.A..o....O./...Q..AE...hN../.4*.x!..>.(*.dc..$........$..9.w.{o.....}.~B........|...2..G. 0......pnlL....}^....isz..&,^......!.A..iu..~#..-J.2....FK.8....7m..p.....3.g.&......97=i..9g^..1..,O.F..\....{t..Q..Y.%..Q#.ED..*..a.....6.U......1...........C-KI.=2%59"m.L.89a.k..`..>..eN.....F>.,u..>....5*)iJtf.8..0p..y..#........'n..~..Cr...Q.1..H.n1...l#..J^....&.C..'A.t.3.).......%.Hl.`...'..S.ehOk.......t....F..zf"...gb.%}.RF!.X.b_E.K.7..[.......{e.*...l.9Pr....ug..A.tY....d.E.k#..O.GgsP...d.>.`.....6...w.S.{.....y.......+[YYx.wy.wY.@ ..W.{...uk....We..+[WYx.f.........5.V.^....{k..Te..+[UYx.f.....>]...xIkn..=w{..[k.VWe].W....b.....>Y....y.=...oo<.{..._YXT.e.....u.....Yz{cA.....UYe..r*..k.l.9p...K..(..kn...k..-..z

                                                                                                                                                                  C:\Users\user\AppData\Local\Temp\a0v2H8.jar:Zone.Identifier

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):54
                                                                                                                                                                  Entropy (8bit):4.2311712996172846
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:gAWY33AtwXJYuKQS6J:qY33AtjqtJ
                                                                                                                                                                  MD5:B3CE06E741E4849CAE8418BF665A6A97
                                                                                                                                                                  SHA1:D9B6141CA4E0F78DC5BC1C790BEC6D23D30606FB
                                                                                                                                                                  SHA-256:A40B2ADBF9A084937771336A1F11247AD5F45F1469C8C4446179C73557C05032
                                                                                                                                                                  SHA-512:CE7215E289B7F450A76F06E50D5EE6F060369A83B996E717D1918DA62540B19272C8FD98A707609E5759BB414E1151466440B544AB61D16D811DDEC4B2BF8E5F
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:[ZoneTransfer]..ZoneId=3..ReferrerUrl=about:internet..

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\12-09-2022 S.LNK

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:MS Windows shortcut, Item id list present, Points to a file or directory, Has Relative path, Archive, ctime=Tue Aug 16 20:38:44 2022, mtime=Mon Sep 12 19:53:09 2022, atime=Mon Sep 12 19:53:04 2022, length=258604, window=hide
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):1195
                                                                                                                                                                  Entropy (8bit):4.654972048649397
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:24:8pxTPwt+jpUlTA6WDdvfAlZDjgfs7aB6m:8ptPUi6WqMxB6
                                                                                                                                                                  MD5:7693A60A5936A48DE7BCBC85CA41BA08
                                                                                                                                                                  SHA1:02BC1EE1B63205C27F9C180C84ACF34C52851E4D
                                                                                                                                                                  SHA-256:236FBD25C05806AEB8A4743AEC171C0E36F840E6174C25845D07BFB2631DBA68
                                                                                                                                                                  SHA-512:72C0628344B89E77695D9D3E05202A27C033709CB408CF8836E8D141DD0D5B5DEA2C104DA9B8E3243C6F63408A5BF884E2CF131EBF53BA390B3C0BEEE7B5174C
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:L..................F.... ...bI.......[......>.Z.....,............................P.O. .:i.....+00.../C:\...................x.1......N....Users.d......L..,U......................:.....q|..U.s.e.r.s...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.8.1.3.....P.1......U...user.<.......Ny.,U.......S.....................B..h.a.r.d.z.....~.1......U...Desktop.h.......Ny.,U.......Y..............>.....F.+.D.e.s.k.t.o.p...@.s.h.e.l.l.3.2...d.l.l.,.-.2.1.7.6.9.......2.,...,U.. .12-09-~1.DOC..........U.,U.......R........................1.2.-.0.9.-.2.0.2.2. .S.#.U.0.1.3.0.P.A.R.#.U.0.1.3.0.#.U.0.1.5.e...d.o.c.x...d.o.c.......p...............-.......o...........>.S......C:\Users\user\Desktop\12-09-2022 S#U0130PAR#U0130#U015e.docx.doc..A.....\.....\.....\.....\.....\.D.e.s.k.t.o.p.\.1.2.-.0.9.-.2.0.2.2. .S.#.U.0.1.3.0.P.A.R.#.U.0.1.3.0.#.U.0.1.5.e...d.o.c.x...d.o.c.........:..,.LB.)...As...`.......X.......506407...........!a..%.H.VZAj.................-..!a..%.H.VZAj.................-.............1SPS.X

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Office\Recent\index.dat

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:ASCII text, with CRLF line terminators
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):75
                                                                                                                                                                  Entropy (8bit):4.583484151612445
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:bDuMJltcuHy5omX1UXBuHy5ov:bCYc6ccXB6cy
                                                                                                                                                                  MD5:D6902E7D17272A3B9E9DDA29FBA18FEC
                                                                                                                                                                  SHA1:51F30D453A2B9CEF9BD883A37036BD04C55167B5
                                                                                                                                                                  SHA-256:1F16357772A3E327315EFF82F18BB3E73781BF3C46645F1AF4DB6902166C96AA
                                                                                                                                                                  SHA-512:9AB1B9F1D98C52B5215B23BF1F94D81A88FA3C04BAAC64BC8771A6A62731C86CDDC5B0B80B41361A53E1427B45E753CCD41B802A43F8446919C859B11D0EB8FC
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:[folders]..Templates.LNK=0..12-09-2022 S.LNK=0..[doc]..12-09-2022 S.LNK=0..

                                                                                                                                                                  C:\Users\user\AppData\Roaming\Microsoft\Templates\~$Normal.dotm

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):2.3178485266493425
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Rl/Zdq7LoX1SXTlt333Vftl//4lEDlf:RtZLXaN//dDt
                                                                                                                                                                  MD5:8A97ED4F5D1DD2141CAC25E211C3C519
                                                                                                                                                                  SHA1:6C46C05652DD087A5AD852A0A05C222C7491B716
                                                                                                                                                                  SHA-256:894EB4F08ADE066F3DB957A34544CFCD283CE7DE63C70380DAD09EB2581EEF5C
                                                                                                                                                                  SHA-512:12F567CAB3AFBCD11C9B101EF43C148F39053964C925E15BC885AA056EFDD88E24AFE414AFF9F127D2E4E95349018DE0D965B2C38955555059D600B293B6D37E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.pratesh................................................p.r.a.t.e.s.h...........N...............................J.............................&.F.............H...

                                                                                                                                                                  C:\Users\user\Desktop\~$-09-2022 S#U0130PAR#U0130#U015e.docx.doc

                                                                                                                                                                  Download File
                                                                                                                                                                  Process:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Category:dropped
                                                                                                                                                                  Size (bytes):162
                                                                                                                                                                  Entropy (8bit):2.3178485266493425
                                                                                                                                                                  Encrypted:false
                                                                                                                                                                  SSDEEP:3:Rl/Zdq7LoX1SXTlt333Vftl//4lEDlf:RtZLXaN//dDt
                                                                                                                                                                  MD5:8A97ED4F5D1DD2141CAC25E211C3C519
                                                                                                                                                                  SHA1:6C46C05652DD087A5AD852A0A05C222C7491B716
                                                                                                                                                                  SHA-256:894EB4F08ADE066F3DB957A34544CFCD283CE7DE63C70380DAD09EB2581EEF5C
                                                                                                                                                                  SHA-512:12F567CAB3AFBCD11C9B101EF43C148F39053964C925E15BC885AA056EFDD88E24AFE414AFF9F127D2E4E95349018DE0D965B2C38955555059D600B293B6D37E
                                                                                                                                                                  Malicious:false
                                                                                                                                                                  Preview:.pratesh................................................p.r.a.t.e.s.h...........N...............................J.............................&.F.............H...

                                                                                                                                                                  Static File Info

                                                                                                                                                                  General

                                                                                                                                                                  File type:Microsoft Word 2007+
                                                                                                                                                                  Entropy (8bit):7.97914499665771
                                                                                                                                                                  TrID:
                                                                                                                                                                  • Word Microsoft Office Open XML Format document (49504/1) 49.01%
                                                                                                                                                                  • Word Microsoft Office Open XML Format document (43504/1) 43.07%
                                                                                                                                                                  • ZIP compressed archive (8000/1) 7.92%
                                                                                                                                                                  File name:12-09-2022 S#U0130PAR#U0130#U015e.docx.doc
                                                                                                                                                                  File size:258604
                                                                                                                                                                  MD5:7e8133cf5f56adcfafb9bc91390c9fe7
                                                                                                                                                                  SHA1:2cc6471245901e51565ad69df6b8586629965cf1
                                                                                                                                                                  SHA256:7859fd95c60a0d76fa99eb42277501b20f76a377c1395b504acff5dd22533027
                                                                                                                                                                  SHA512:943c44eb826863181891fa7f3eaba59546656c10aad65815f9a21d0ac277d21ec3715f71b1359b962c2057ee234f16be2edc0629e6a5889ff1abd4d2fd1f6d67
                                                                                                                                                                  SSDEEP:6144:CsjU1vruW+UztmXtb2wDayQ7B4Y6/EcKbiCW:tjaumMXtb2w+yM4YhVWCW
                                                                                                                                                                  TLSH:09442358C8204D84D8654636A8A9B9F392EF9020B322C11B7F5CC6EDDF6272E47AE513
                                                                                                                                                                  File Content Preview:PK..........!.........T.......[Content_Types].xml ...(.........................................................................................................................................................................................................

                                                                                                                                                                  File Icon

                                                                                                                                                                  Icon Hash:74f4c4c6c1cac4d8

                                                                                                                                                                  Static OLE Info

                                                                                                                                                                  General

                                                                                                                                                                  Document Type:OpenXML
                                                                                                                                                                  Number of OLE Files:1

                                                                                                                                                                  OLE File "/opt/package/joesandbox/database/analysis/701320/sample/12-09-2022 S#U0130PAR#U0130#U015e.docx.doc"

                                                                                                                                                                  Indicators
                                                                                                                                                                  Has Summary Info:
                                                                                                                                                                  Application Name:
                                                                                                                                                                  Encrypted Document:False
                                                                                                                                                                  Contains Word Document Stream:True
                                                                                                                                                                  Contains Workbook/Book Stream:False
                                                                                                                                                                  Contains PowerPoint Document Stream:False
                                                                                                                                                                  Contains Visio Document Stream:False
                                                                                                                                                                  Contains ObjectPool Stream:False
                                                                                                                                                                  Flash Objects Count:0
                                                                                                                                                                  Contains VBA Macros:False
                                                                                                                                                                  Summary
                                                                                                                                                                  Author:
                                                                                                                                                                  Template:
                                                                                                                                                                  Last Saved By:
                                                                                                                                                                  Revion Number:1
                                                                                                                                                                  Total Edit Time:1
                                                                                                                                                                  Create Time:2022-09-11T20:26:00Z
                                                                                                                                                                  Last Saved Time:2022-09-11T20:27:00Z
                                                                                                                                                                  Number of Pages:1
                                                                                                                                                                  Number of Words:3
                                                                                                                                                                  Number of Characters:21
                                                                                                                                                                  Creating Application:
                                                                                                                                                                  Security:0
                                                                                                                                                                  Document Summary
                                                                                                                                                                  Number of Lines:1
                                                                                                                                                                  Number of Paragraphs:1
                                                                                                                                                                  Thumbnail Scaling Desired:false
                                                                                                                                                                  Company:
                                                                                                                                                                  Contains Dirty Links:false
                                                                                                                                                                  Shared Document:false
                                                                                                                                                                  Changed Hyperlinks:false
                                                                                                                                                                  Application Version:14.0000

                                                                                                                                                                  Streams

                                                                                                                                                                  Stream Path: \x1CompObj, File Type: data, Stream Size: 72
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x1CompObj
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:72
                                                                                                                                                                  Entropy:3.8231129765226823
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . . . . / . { . . . Z @ . . . . P a c k a g e . . . . . . . . . P a c k a g e . 9 q . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:01 00 fe ff 03 0a 00 00 ff ff ff ff 20 a7 0d f2 2f c0 ce 11 92 7b 08 00 09 5a e3 40 08 00 00 00 50 61 63 6b 61 67 65 00 00 00 00 00 08 00 00 00 50 61 63 6b 61 67 65 00 f4 39 b2 71 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                  Stream Path: \x1Ole, File Type: data, Stream Size: 20
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x1Ole
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:20
                                                                                                                                                                  Entropy:0.8475846798245739
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:. . . . . . . . . . . . . . . . . . . .
                                                                                                                                                                  Data Raw:01 00 00 02 04 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
                                                                                                                                                                  Stream Path: \x1Ole10Native, File Type: data, Stream Size: 165046
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x1Ole10Native
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:165046
                                                                                                                                                                  Entropy:7.9974019330364134
                                                                                                                                                                  Base64 Encoded:True
                                                                                                                                                                  Data ASCII:. . . . a 0 v 2 H 8 . j a r . C : \\ U s e r s \\ M I C R O S O F T \\ A p p D a t a \\ L o c a l \\ M i c r o s o f t \\ W i n d o w s \\ I N e t C a c h e \\ C o n t e n t . W o r d \\ a 0 v 2 H 8 . j a r . . . . . W . . . C : \\ U s e r s \\ M I C R O S ~ 1 \\ A p p D a t a \\ L o c a l \\ T e m p \\ { 6 1 6 8 B 7 1 6 - 2 6 0 4 - 4 F 6 B - B 0 F 1 - C C A D 4 0 6 6 7 2 3 F } \\ a 0 v 2 H 8 . j a r . y . . P K . . . . . . . . . + U ~ . . . . . . . . . . M E T A - I N F / M A N I F E S T . M F M L K - . . K - * . R 0 3 r
                                                                                                                                                                  Data Raw:b2 84 02 00 02 00 61 30 76 32 48 38 2e 6a 61 72 00 43 3a 5c 55 73 65 72 73 5c 4d 49 43 52 4f 53 4f 46 54 5c 41 70 70 44 61 74 61 5c 4c 6f 63 61 6c 5c 4d 69 63 72 6f 73 6f 66 74 5c 57 69 6e 64 6f 77 73 5c 49 4e 65 74 43 61 63 68 65 5c 43 6f 6e 74 65 6e 74 2e 57 6f 72 64 5c 61 30 76 32 48 38 2e 6a 61 72 00 00 00 03 00 57 00 00 00 43 3a 5c 55 73 65 72 73 5c 4d 49 43 52 4f 53 7e 31 5c
                                                                                                                                                                  Stream Path: \x3ObjInfo, File Type: data, Stream Size: 6
                                                                                                                                                                  General
                                                                                                                                                                  Stream Path:\x3ObjInfo
                                                                                                                                                                  File Type:data
                                                                                                                                                                  Stream Size:6
                                                                                                                                                                  Entropy:1.7924812503605778
                                                                                                                                                                  Base64 Encoded:False
                                                                                                                                                                  Data ASCII:@ . . . . .
                                                                                                                                                                  Data Raw:40 00 03 00 01 00

                                                                                                                                                                  Network Behavior

                                                                                                                                                                  No network behavior found

                                                                                                                                                                  Statistics

                                                                                                                                                                  Behavior

                                                                                                                                                                  Click to jump to process

                                                                                                                                                                  System Behavior

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:0
                                                                                                                                                                  Start time:13:53:04
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Program Files (x86)\Microsoft Office\Office16\WINWORD.EXE" /Automation -Embedding
                                                                                                                                                                  Imagebase:0x90000
                                                                                                                                                                  File size:1937688 bytes
                                                                                                                                                                  MD5 hash:0B9AB9B9C4DE429473D6450D4297A123
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:10
                                                                                                                                                                  Start time:13:53:27
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\splwow64.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\splwow64.exe 12288
                                                                                                                                                                  Imagebase:0x7ff7830b0000
                                                                                                                                                                  File size:130560 bytes
                                                                                                                                                                  MD5 hash:8D59B31FF375059E3C32B17BF31A76D5
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:13
                                                                                                                                                                  Start time:13:53:33
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\a0v2H8.jar"
                                                                                                                                                                  Imagebase:0xf70000
                                                                                                                                                                  File size:192376 bytes
                                                                                                                                                                  MD5 hash:4BFEB2F64685DA09DEBB95FB981D4F65
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:Java
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_AdWind_2, Description: Yara detected AdWind RAT, Source: 0000000D.00000002.339042980.000000000458C000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:14
                                                                                                                                                                  Start time:13:53:34
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\icacls.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:C:\Windows\system32\icacls.exe C:\ProgramData\Oracle\Java\.oracle_jre_usage /grant "everyone":(OI)(CI)M
                                                                                                                                                                  Imagebase:0x980000
                                                                                                                                                                  File size:29696 bytes
                                                                                                                                                                  MD5 hash:FF0D1D4317A44C951240FAE75075D501
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:15
                                                                                                                                                                  Start time:13:53:34
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:17
                                                                                                                                                                  Start time:13:53:36
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:wmic CPU get ProcessorId
                                                                                                                                                                  Imagebase:0x880000
                                                                                                                                                                  File size:391680 bytes
                                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:18
                                                                                                                                                                  Start time:13:53:37
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:19
                                                                                                                                                                  Start time:13:53:42
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:wmic bios get serialnumber
                                                                                                                                                                  Imagebase:0x880000
                                                                                                                                                                  File size:391680 bytes
                                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:20
                                                                                                                                                                  Start time:13:53:42
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:21
                                                                                                                                                                  Start time:13:53:44
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:wmic csproduct get name
                                                                                                                                                                  Imagebase:0x880000
                                                                                                                                                                  File size:391680 bytes
                                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Reputation:high

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:22
                                                                                                                                                                  Start time:13:53:44
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:23
                                                                                                                                                                  Start time:13:53:46
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:wmic csproduct get UUID
                                                                                                                                                                  Imagebase:0x880000
                                                                                                                                                                  File size:391680 bytes
                                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:24
                                                                                                                                                                  Start time:13:53:46
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:25
                                                                                                                                                                  Start time:13:53:48
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:cmd.exe /c ver
                                                                                                                                                                  Imagebase:0xb0000
                                                                                                                                                                  File size:232960 bytes
                                                                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:26
                                                                                                                                                                  Start time:13:53:48
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:29
                                                                                                                                                                  Start time:13:53:55
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:"C:\Program Files (x86)\Java\jre1.8.0_211\bin\javaw.exe" -jar "C:\Users\user\AppData\Local\Temp\a0v2H8.jar"
                                                                                                                                                                  Imagebase:0xf70000
                                                                                                                                                                  File size:192376 bytes
                                                                                                                                                                  MD5 hash:4BFEB2F64685DA09DEBB95FB981D4F65
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language
                                                                                                                                                                  Yara matches:
                                                                                                                                                                  • Rule: JoeSecurity_AdWind_2, Description: Yara detected AdWind RAT, Source: 0000001D.00000002.391533154.0000000004F88000.00000004.00000800.00020000.00000000.sdmp, Author: Joe Security

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:30
                                                                                                                                                                  Start time:13:54:04
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:wmic CPU get ProcessorId
                                                                                                                                                                  Imagebase:0x880000
                                                                                                                                                                  File size:391680 bytes
                                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:31
                                                                                                                                                                  Start time:13:54:04
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:32
                                                                                                                                                                  Start time:13:54:06
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:wmic bios get serialnumber
                                                                                                                                                                  Imagebase:0x880000
                                                                                                                                                                  File size:391680 bytes
                                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:33
                                                                                                                                                                  Start time:13:54:06
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:34
                                                                                                                                                                  Start time:13:54:08
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:wmic csproduct get name
                                                                                                                                                                  Imagebase:0x880000
                                                                                                                                                                  File size:391680 bytes
                                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:35
                                                                                                                                                                  Start time:13:54:08
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:36
                                                                                                                                                                  Start time:13:54:10
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\wbem\WMIC.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:wmic csproduct get UUID
                                                                                                                                                                  Imagebase:0x880000
                                                                                                                                                                  File size:391680 bytes
                                                                                                                                                                  MD5 hash:79A01FCD1C8166C5642F37D1E0FB7BA8
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:37
                                                                                                                                                                  Start time:13:54:10
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:38
                                                                                                                                                                  Start time:13:54:12
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\SysWOW64\cmd.exe
                                                                                                                                                                  Wow64 process (32bit):true
                                                                                                                                                                  Commandline:cmd.exe /c ver
                                                                                                                                                                  Imagebase:0xb0000
                                                                                                                                                                  File size:232960 bytes
                                                                                                                                                                  MD5 hash:F3BDBE3BB6F734E357235F4D5898582D
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  General

                                                                                                                                                                  Target ID:39
                                                                                                                                                                  Start time:13:54:12
                                                                                                                                                                  Start date:12/09/2022
                                                                                                                                                                  Path:C:\Windows\System32\conhost.exe
                                                                                                                                                                  Wow64 process (32bit):false
                                                                                                                                                                  Commandline:C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
                                                                                                                                                                  Imagebase:0x7ff745070000
                                                                                                                                                                  File size:625664 bytes
                                                                                                                                                                  MD5 hash:EA777DEEA782E8B4D7C7C33BBF8A4496
                                                                                                                                                                  Has elevated privileges:true
                                                                                                                                                                  Has administrator privileges:true
                                                                                                                                                                  Programmed in:C, C++ or other language

                                                                                                                                                                  Disassembly

                                                                                                                                                                  No disassembly