Analysis Report

Overview

General Information

Joe Sandbox Version:	22.0.0
Analysis ID:	53179
Start time:	09:11:46
Joe Sandbox Product:	CloudBasic
Start date:	04.04.2018
Overall analysis duration:	0h 7m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Sample file name:	NEW ORDER .LIST 105.jar
Cookbook file name:	defaultwindowsfilecookbook.jbs
Analysis system description:	Windows 7 SP1 (with Office 2010 SP2, IE 11, FF 54, Chrome 60, Acrobat Reader DC 17, Flash 26, Java 8.0.1440.1)
Number of analysed new started processes analysed:	23
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies	HCA enabled EGA enabled HDC enabled
Analysis stop reason:	Timeout
Detection:	MAL
Classification:	mal96.expl.troj.winJAR@27/212@5/2
HCA Information:	Successful, ratio: 100% Number of executed functions: 0 Number of non-executed functions: 0
EGA Information:	Failed
HDC Information:	Failed
Cookbook Comments:	Adjust boot time Correcting counters for adjusted boot time
Warnings:	Show All Exclude process from analysis (whitelisted): conhost.exe Report size getting too big, too many NtAllocateVirtualMemory calls found. Report size getting too big, too many NtOpenFile calls found. Report size getting too big, too many NtQueryDirectoryFile calls found. Report size getting too big, too many NtQueryValueKey calls found. Report size getting too big, too many NtQueryVolumeInformationFile calls found. Report size getting too big, too many NtReadFile calls found. Report size getting too big, too many NtSetInformationFile calls found. Skipping Hybrid Code Analysis (implementation is based on Java, .Net, VB or Delphi, or parses a document) for: cmd.exe, java.exe, java.exe

Detection

Strategy	Score	Range	Reporting	Detection
Threshold	96	0 - 100	Report FP / FN

Confidence

Strategy	Score	Range	Further Analysis Required?	Confidence
Threshold	5	0 - 5	false

Classification

Analysis Advice

Sample drops PE files which have not been started, submit dropped PE samples for a secondary analysis to Joe Sandbox

Signature Overview

Click to jump to signature section

AV Detection:

Multi AV Scanner detection for domain / URL

Show sources

Source: vvrhhhnaijyj6s2m.onion.top

virustotal: Detection: 13%

Perma Link

Multi AV Scanner detection for submitted file

Show sources

Source: NEW ORDER .LIST 105.jar

virustotal: Detection: 43%

Perma Link

Software Vulnerabilities:

Exploit detected, runtime environment starts unknown processes

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

Process created: C:\Windows\System32\cmd.exe

Jump to behavior

Networking:

Uses TOR for connection hidding

Show sources

Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top
Source: unknown	DNS query: name: vvrhhhnaijyj6s2m.onion.top

Found strings which match to known social media urls

Show sources

Source: jfxrt.jar.17.dr

String found in binary or memory: // www.yahoo.com.by, for example), so we list it here for safety's sake. equals www.yahoo.com (Yahoo)

Performs DNS lookups

Show sources

Source: unknown

DNS traffic detected: queries for: vvrhhhnaijyj6s2m.onion.top

Urls found in memory or binary data

Show sources

Source: deploy.jar.17.dr, plugin.jar.17.dr, jfxwebkit.dll.17.dr	String found in binary or memory: file://
Source: deploy.jar.17.dr, plugin.jar.17.dr, jfxwebkit.dll.17.dr	String found in binary or memory: file:///
Source: deploy.jar.17.dr	String found in binary or memory: file:////
Source: deploy.jar.17.dr	String found in binary or memory: file://///
Source: jfxwebkit.dll.17.dr	String found in binary or memory: file:///0123456789abcdef0123456789ABCDEF-4
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/charsets.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/access-bridge.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/cldrdata.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/dnsns.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/jaccess.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/jfxrt.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/localedata.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/nashorn.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/sunec.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/sunjce_provider.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/sunmscapi.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/sunpkcs11.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/ext/zipfs.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/jce.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/jfr.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/jsse.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/resources.jar
Source: java.exe	String found in binary or memory: file:///C:/Program%20Files/Java/jre1.8.0_144/lib/rt.jar
Source: java.exe	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/AppData/Local/Temp/jartracer.jar
Source: java.exe	String found in binary or memory: file:///C:/Users/Herb%20Blackburn/Desktop/NEW%20ORDER%20.LIST%20105.jar
Source: jfxwebkit.dll.17.dr	String found in binary or memory: file:///etc/xml/catalog
Source: deployJava1.dll.17.dr	String found in binary or memory: file://deployHelperhttps://HTTP/1.1GETRange:
Source: deployJava1.dll.17.dr	String found in binary or memory: file://file:/Error:%08x
Source: jfxwebkit.dll.17.dr	String found in binary or memory: file://file__0
Source: glib-lite.dll.17.dr	String found in binary or memory: file://localhostThe
Source: rt.jar.17.dr, deploy.jar.17.dr, plugin.jar.17.dr, javaws.jar.17.dr	String found in binary or memory: http://
Source: jfxrt.jar.17.dr	String found in binary or memory: http://about.museum/naming/
Source: java.exe	String found in binary or memory: http://apache.o
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/#
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/3
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/allow-java-encodings
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/allow-java-encodingsc
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/continue-after-fatal-error
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/create-cdata-nodes
Source: resources.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/disallow-doctype-decl
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/dom/create-entity-ref-nodes
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/dom/defer-node-expansion9
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/dom/include-ignorable-whitespace/
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/generate-synthetic-annotations9
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocations
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsC
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/honour-all-schemaLocationsz%
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/include-comments
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/internal/parser-settings7
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicates
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/internal/tolerate-duplicatesO
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/internal/validation/schema/use-grammar-pool-only/
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/namespace-growth
Source: rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/namespaces
Source: java.exe, rt.jar.17.dr, deploy.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtd
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/nonvalidating/load-external-dtdS
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/scanner/notify-builtin-refs
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/scanner/notify-char-refs
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/standard-uri-conformant3
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validate-annotations
Source: rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-trees
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/validation/balance-syntax-treesK
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/dynamic
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/schema
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema-full-checking%
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/schema/augment-psvi
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-default
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema/element-defaultA
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-value
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/validation/schema/normalized-valueB
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-duplicate-attdef
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/validation/warn-on-undeclared-elemdef:
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydef
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/warn-on-duplicate-entitydefc
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/xinclude
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-uris6
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-base-urisC
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/xinclude/fixup-language%
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/xinclude1
Source: java.exe	String found in binary or memory: http://apache.org/xml/features/xincludex
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/dom/current-element-node9
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/dom/document-class-name$
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/input-buffer-size3
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/datatype-validator-factory:
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/document-scanner%
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processor5
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-processorc
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/dtd-scanner8
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/entity-manager8
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/entity-managerk
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolver7
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/entity-resolverC
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/error-handler6
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter:
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/error-reporter;
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/grammar-pool6
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-binder%
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context:
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/namespace-context;
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolver
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/stax-entity-resolverg/=
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-table
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/symbol-tableQ
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/validation-manager
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerK
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerS
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/validation-managerSF
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory3
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/validation/schema/dv-factory7
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/validator/dtd:
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/validator/schema8
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/internal/xinclude-handler#
Source: rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/internal/xpointer-handler
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/kqu
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/locale
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/schema/external-noNamespaceSchemaLocation%
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/schema/external-schemaLocation
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/security-manager
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/security-manager(c
Source: java.exe	String found in binary or memory: http://apache.org/xml/properties/security-manager8
Source: resources.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/xpointer-schema
Source: resources.jar.17.dr	String found in binary or memory: http://apache.org/xml/properties/xpointer-schema.
Source: rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/serializer
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes
Source: java.exe	String found in binary or memory: http://apache.org/xml/xmlschema/1.0/anonymousTypes/
Source: jvm.dll.17.dr	String found in binary or memory: http://bugreport.java.com/bugreport/crash.jsp
Source: jvm.dll.17.dr	String found in binary or memory: http://bugreport.java.com/bugreport/crash.jspVM
Source: java.exe, java.dll.17.dr	String found in binary or memory: http://bugreport.sun.com/bugreport/
Source: java.dll.17.dr	String found in binary or memory: http://bugreport.sun.com/bugreport/java.vendor.url.bughttp://java.oracle.com/java.vendor.urljava.ven
Source: deploy.jar.17.dr	String found in binary or memory: http://bugs.sun.com
Source: gstreamer-lite.dll.17.dr	String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.
Source: gstreamer-lite.dll.17.dr	String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.GStreamer
Source: gstreamer-lite.dll.17.dr	String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.Internal
Source: gstreamer-lite.dll.17.dr	String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.This
Source: gstreamer-lite.dll.17.dr	String found in binary or memory: http://bugzilla.gnome.org/enter_bug.cgi?product=GStreamer.Your
Source: jfxrt.jar.17.dr	String found in binary or memory: http://cenpac.net.nr/dns/index.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://cnnic.cn/html/Dir/2005/10/11/3218.htm
Source: java.exe	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://cps.chambersign.org/cps/chambersroot.html0
Source: java.exe	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.chambersign.org/chambersroot.crl0
Source: java.exe	String found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.comodo.net/AAACertificateServices.crl0
Source: java.exe	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.comodoca.com/AAACertificateServices.crl06
Source: java.exe	String found in binary or memory: http://crl.globalsign.net/root-r2.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.globalsign.net/root-r2.crl0
Source: java.exe	String found in binary or memory: http://crl.securetrust.com/STCA.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.securetrust.com/STCA.crl0
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-ClientAuthenticationandEmail.crl0
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Hardware.crl01
Source: java.exe	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.usertrust.com/UTN-USERFirst-Object.crl0)
Source: java.exe	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://crl.xrampsecurity.com/XGCA.crl0
Source: deploy.jar.17.dr, javaws.jar.17.dr	String found in binary or memory: http://dl.javafx.com/javafx-cache.jnlp
Source: deploy.jar.17.dr, javaws.jar.17.dr	String found in binary or memory: http://dl.javafx.com/javafx-rt.jnlp
Source: jfxrt.jar.17.dr	String found in binary or memory: http://dns.marnet.net.mk/postapka.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://domain.nida.or.kr/eng/registration.jsp
Source: Welcome.html.17.dr	String found in binary or memory: http://download.oracle.com/javase/7/docs/technotes/guides/plugin/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ac
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ad
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ae
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.am
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ao
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.aq
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ar
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.arpa
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.as
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.asia
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.at
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.au
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.aw
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ax
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.az
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ba
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bb
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bd
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.be
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bg
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bh
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bi
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.biz
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bj
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bn
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bt
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bw
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.by
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.bz
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ca
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cat
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cd
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cg
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ch
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ci
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ck
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cl
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cn
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.co
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.com
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.coop
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cu
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cv
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cx
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cy
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.cz
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.de
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.dj
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.dk
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.dm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.do
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.dz
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.edu
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.eg
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.er
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.et
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.eu
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.fi
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.fj
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.fk
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.fm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.fo
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ga
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gc.ca
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gd
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gh
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gl
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gov
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gq
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gs
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gw
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.gy
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.hm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.id
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ie
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.il
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.in
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.info
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.int
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.it
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.jobs
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.jp
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.km
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.kn
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.kr
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.kw
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.kz
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.la
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.lb
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.lc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.li
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.local
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ls
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.lt
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ma
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.md
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.me
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mh
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mil
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mk
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ml
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mn
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mobi
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mq
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mr
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ms
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mu
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.mv
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.nc.tr
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ne
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.net
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.nf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.nu
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.nz
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.om
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.org
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.pg
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.pr
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ps
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.pw
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.rs
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.se
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.si
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.sk
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.sm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.sn
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.sr
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.su
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.sy
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.sz
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.td
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tel
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tg
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.th
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tk
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tl
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tn
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.to
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tr
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.travel
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tv
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tw
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.tz
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.uk
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.us
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.va
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.vc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.vg
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.vu
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.ws
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.zm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://en.wikipedia.org/wiki/.zw
Source: rt.jar.17.dr, jfxwebkit.dll.17.dr	String found in binary or memory: http://exslt.org/common
Source: rt.jar.17.dr	String found in binary or memory: http://exslt.org/common:nodeSet
Source: rt.jar.17.dr	String found in binary or memory: http://exslt.org/common:objectType
Source: rt.jar.17.dr	String found in binary or memory: http://exslt.org/dates-and-times
Source: rt.jar.17.dr	String found in binary or memory: http://exslt.org/math
Source: rt.jar.17.dr	String found in binary or memory: http://exslt.org/sets
Source: rt.jar.17.dr	String found in binary or memory: http://exslt.org/strings
Source: jfxrt.jar.17.dr	String found in binary or memory: http://gadao.gov.gu/registration.txt
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://hg.openjdk.java.net/jdk8u/jdk8u/jdk/file/tip/src/share/native/sun/security/ec/impl
Source: jfxrt.jar.17.dr	String found in binary or memory: http://hoster.by/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://icmregistry.com
Source: jfxrt.jar.17.dr	String found in binary or memory: http://index.museum/
Source: deploy.jar.17.dr	String found in binary or memory: http://java.com
Source: deploy.jar.17.dr	String found in binary or memory: http://java.com/access_old_java
Source: deploy.jar.17.dr	String found in binary or memory: http://java.com/download
Source: deploy.jar.17.dr	String found in binary or memory: http://java.com/en/download/faq/self_signed.xml
Source: deploy.dll.17.dr	String found in binary or memory: http://java.com/http://www.java.com/http://java.sun.com/OfferedSPCntSoftware
Source: npjp2.dll.17.dr, npdeployJava1.dll.17.dr, jp2launcher.exe.17.dr, jp2iexp.dll.17.dr	String found in binary or memory: http://java.com/inst-dl-redirect
Source: deployJava1.dll.17.dr	String found in binary or memory: http://java.com/inst-dl-redirectCOM
Source: npdeployJava1.dll.17.dr	String found in binary or memory: http://java.com/inst-dl-redirectNPRuntime
Source: deployJava1.dll.17.dr	String found in binary or memory: http://java.com/inst-dl-redirectS
Source: javaws.exe.17.dr	String found in binary or memory: http://java.com/inst-dl-redirectSP
Source: jp2iexp.dll.17.dr	String found in binary or memory: http://java.com/inst-dl-redirect_selflaunchjnlpembeddedWaitForMultipleObjects
Source: npjp2.dll.17.dr	String found in binary or memory: http://java.com/inst-dl-redirectopenS
Source: jp2iexp.dll.17.dr	String found in binary or memory: http://java.com/inst-dl-redirectopenS$
Source: jp2launcher.exe.17.dr	String found in binary or memory: http://java.com/inst-dl-redirectopendeploy.dllADVAPI32.dll
Source: deploy.jar.17.dr	String found in binary or memory: http://java.com/jcpsecurity
Source: eula.dll.17.dr	String found in binary or memory: http://java.com/license
Source: README.txt.17.dr	String found in binary or memory: http://java.com/licensereadme
Source: deploy.jar.17.dr	String found in binary or memory: http://java.com/nativesandbox
Source: deploy.jar.17.dr	String found in binary or memory: http://java.com/sitelistfaq
Source: java.exe, java.dll.17.dr	String found in binary or memory: http://java.oracle.com/
Source: java.exe	String found in binary or memory: http://java.sun.com/dtd/properties.dtd
Source: java.exe	String found in binary or memory: http://java.sun.com/dtd/properties.dtdam
Source: resources.jar.17.dr	String found in binary or memory: http://java.sun.com/j2se/1.6.0/docs/guide/standards/
Source: resources.jar.17.dr	String found in binary or memory: http://java.sun.com/j2se/1.6.0/docs/guide/standards/)
Source: resources.jar.17.dr	String found in binary or memory: http://java.sun.com/j2se/1.6.0/docs/guide/standards/).
Source: deploy.jar.17.dr	String found in binary or memory: http://java.sun.com/products/autodl/j2se
Source: jdwp.dll.17.dr	String found in binary or memory: http://java.sun.com/products/jpda
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/dom/properties/
Source: java.exe	String found in binary or memory: http://java.sun.com/xml/dom/properties/(
Source: java.exe	String found in binary or memory: http://java.sun.com/xml/dom/properties/;
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/dom/properties/ancestor-check
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaLanguage
Source: rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/jaxp/properties/schemaSource
Source: resources.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/ns/metro/config
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/schema/features/
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace
Source: java.exe	String found in binary or memory: http://java.sun.com/xml/schema/features/report-ignored-element-content-whitespace0
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/stream/properties/
Source: java.exe	String found in binary or memory: http://java.sun.com/xml/stream/properties//
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtd
Source: java.exe	String found in binary or memory: http://java.sun.com/xml/stream/properties/ignore-external-dtdrg/
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/stream/properties/reader-in-defined-state
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://java.sun.com/xml/stream/properties/report-cdata-event
Source: fxplugins.dll.17.dr	String found in binary or memory: http://javafx.com/
Source: fxplugins.dll.17.dr	String found in binary or memory: http://javafx.com/vp6decoderflvdemux
Source: deploy.jar.17.dr	String found in binary or memory: http://javaweb.sfbay.sun.com/~hj156752/awtless/fx/installer/fxinstaller.jnlp
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing
Source: java.exe	String found in binary or memory: http://javax.xml.XMLConstants/feature/secure-processing-
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://javax.xml.XMLConstants/property/
Source: java.exe	String found in binary or memory: http://javax.xml.XMLConstants/property/3
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD
Source: java.exe	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalDTD;
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalSchema
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.XMLConstants/property/accessExternalStylesheet
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.dom.DOMResult/feature
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.dom.DOMSource/feature
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.sax.SAXResult/feature
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.sax.SAXSource/feature
Source: jfr.jar.17.dr, rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.sax.SAXTransformerFactory/feature/xmlfilter
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.stax.StAXResult/feature
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.stax.StAXSource/feature
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.stream.StreamResult/feature
Source: rt.jar.17.dr	String found in binary or memory: http://javax.xml.transform.stream.StreamSource/feature
Source: rt.jar.17.dr	String found in binary or memory: http://jax-ws.java.net/features/databinding
Source: jfxrt.jar.17.dr	String found in binary or memory: http://jprs.co.jp/en/jpdomain.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://jprs.jp/doc/rule/saisoku-1.html
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://mozilla.org/MPL/2.0/.
Source: jfxrt.jar.17.dr	String found in binary or memory: http://nic.ae/english/arabicdomain/rules.jsp
Source: jfxrt.jar.17.dr	String found in binary or memory: http://nic.com.ai/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://nic.gl
Source: jfxrt.jar.17.dr	String found in binary or memory: http://nic.lk
Source: jfxrt.jar.17.dr	String found in binary or memory: http://nic.tn
Source: java.exe	String found in binary or memory: http://null.sun.com/
Source: java.security.17.dr	String found in binary or memory: http://ocsp.example.net:80
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://ocsp.thawte.com0
Source: jfxrt.jar.17.dr	String found in binary or memory: http://online.dns.pt/dns/start_dns
Source: jvm.dll.17.dr	String found in binary or memory: http://openjdk.java.net/jeps/220).
Source: deploy.jar.17.dr	String found in binary or memory: http://oracle.com
Source: deploy.jar.17.dr	String found in binary or memory: http://oracle.com/bar/index.html
Source: deploy.jar.17.dr	String found in binary or memory: http://oracle.com/xyz/bar/index.html
Source: THIRDPARTYLICENSEREADME-JAVAFX.txt.17.dr	String found in binary or memory: http://oss.oracle.com/projects/gstreamer-mods/
Source: THIRDPARTYLICENSEREADME-JAVAFX.txt.17.dr	String found in binary or memory: http://oss.oracle.com/projects/webkit-java-mods/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://pk5.pknic.net.pk/pk5/msgNamepk.PK
Source: java.exe	String found in binary or memory: http://policy.camerfirma.com
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://policy.camerfirma.com0
Source: jfxrt.jar.17.dr	String found in binary or memory: http://psg.com/dns/gn/gn.txt
Source: jfxrt.jar.17.dr	String found in binary or memory: http://psg.com/dns/lr/lr.txt
Source: jfxrt.jar.17.dr	String found in binary or memory: http://psg.com/dns/ng/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://registro.br/dominio/dpn.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://registro.nic.ve/nicve/registro/index.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://registry.gc.ca/en/SubdomainFAQ
Source: jfxrt.jar.17.dr	String found in binary or memory: http://registry.gy/
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://relaxngcc.sf.net/).
Source: java.exe	String found in binary or memory: http://repository.swisssign.com/
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://repository.swisssign.com/0
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://s1.symcb.com/pca3-g5.crl0
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://s2.symcb.com0
Source: jfxrt.jar.17.dr	String found in binary or memory: http://samoanic.ws/index.dhtml
Source: rt.jar.17.dr	String found in binary or memory: http://schemas.xmlsoap.org/wsdl/soap/http
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://sv.symcb.com/sv.crl0f
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://sv.symcb.com/sv.crt0
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://sv.symcd.com0&
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://tartarus.org/~martin/PorterStemmer
Source: jfxrt.jar.17.dr	String found in binary or memory: http://tld.by/rules_2006_en.html
Source: jfxwebkit.dll.17.dr	String found in binary or memory: http://tools.ietf.org/html/rfc3986#section-2.1.
Source: java.exe	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://trustcenter-crl.certificat2.com/Keynectis/KEYNECTIS_ROOT_CA.crl0
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://ts-ocsp.ws.symantec.com07
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://upx.sourceforge.net/upx-license.html.
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://upx.tsx.org
Source: jfxrt.jar.17.dr	String found in binary or memory: http://whois.ati.tn/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://whois.nic.bi/
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://wildsau.idv.uni-linz.ac.at/mfx/upx.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.aeda.ae/eng/aepolicy.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.afnic.fr/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-descriptifs
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.afnic.fr/obtenir/chartes/nommage-fr/annexe-sectoriels
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.afnic.re/obtenir/chartes/nommage-re/annexe-descriptifs
Source: rt.jar.17.dr	String found in binary or memory: http://www.alphaworks.ibm.com/formula/xml
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.anrt.ma/fr/admin/download/upload/file_fr782.pdf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.antel.com.uy/
Source: rt.jar.17.dr	String found in binary or memory: http://www.apache.org
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.apache.org/).
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.apache.org/licenses/
Source: java.exe, THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.apache.org/licenses/LICENSE-2.0
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.aucd.org.au/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.belizenic.bz/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.bermudanic.bm/dnr-text.txt
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.c.la/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.cctld.nc/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.cctld.ru/en/docs/rulesrf.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.cctld.ru/ru/docs/aktiv_8.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.centralnic.com/names/domains
Source: java.exe	String found in binary or memory: http://www.certplus.com/CRL/class2.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.certplus.com/CRL/class2.crl0
Source: java.exe	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.certplus.com/CRL/class3P.crl0
Source: java.exe	String found in binary or memory: http://www.chambersign.org
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.chambersign.org1
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.channelisles.net/applic/avextn.shtml
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.cmc.iq/english/iq/iqregister1.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.co.pl
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.com.jm/register.html
Source: java.exe	String found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_2009.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_2009.crl0
Source: java.exe	String found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_ev_2009.crl
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.d-trust.net/crl/d-trust_root_class_3_ca_2_ev_2009.crl0
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dns.ao/REGISTR.DOC
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dns.hr/documents/pdf/HRTLD-regulations.pdf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dns.jo/Registration_policy.aspx
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dns.lu/en/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dns.pl/english/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dns.pl/english/dns-funk.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dns.pl/english/dns-regiony.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.domain-registry.nl/ace.php/c
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.domain.hu/domain/English/sld.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.domain.kg/dmn_n.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.domaine.km/documents/charte.doc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.domains.ph/FAQ2.asp
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dot.kn/domainRules.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dot.mp/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dotmasr.eg/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.dyndns.com/services/dns/dyndns/
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.ecma-international.org
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.ecma-international.org/memento/codeofconduct.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.eenet.ee/EENet/dom_reeglid.html#lisa_B
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.ert.gov.al/ert_alb/faq_det.html?Id=31
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.freebxml.org/
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.freebxml.org/).
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.gobin.info/domainname/bw.doc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.gobin.info/domainname/formulaire-pf.pdf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.gobin.info/domainname/ml-template.doc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.gobin.info/domainname/mz-template.doc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.gobin.info/domainname/sy.doc
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.gov.lt/index_en.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.government.pn/PnRegistry/policies.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.gt/politicas.html
Source: jfxwebkit.dll.17.dr	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd
Source: jfxwebkit.dll.17.dr	String found in binary or memory: http://www.ibm.com/data/dtd/v11/ibmxhtml1-transitional.dtd-//W3C//DTD
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.ict.gov.qa/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.icta.ky/da_ky_reg_dom.php
Source: snmp.acl.template.17.dr	String found in binary or memory: http://www.ietf.org/rfc/rfc2373.txt)
Source: resources.jar.17.dr	String found in binary or memory: http://www.ietf.org/rfc/rfc4051.txt
Source: gstreamer-lite.dll.17.dr	String found in binary or memory: http://www.ifpi.org/isrc/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.info.at/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.info.na/domain/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.information.aero/index.php?id=66
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.inregistry.in/policies/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.isnic.is/domain/rules.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.isoc.sd/sudanic.isoc.sd/billing_pricing.htm
Source: deploy.jar.17.dr	String found in binary or memory: http://www.java.com
Source: deploy.jar.17.dr	String found in binary or memory: http://www.java.com/jcpsecurity
Source: deploy.jar.17.dr	String found in binary or memory: http://www.java.com/jcpsecurity.
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.kcce.kp/en_index.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.kenic.or.ke/index.php?option=com_content&task=view&id=117&Itemid=145
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.ki/dns/index.html
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.linuxnet.com
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.monic.net.mo/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.mos.com.np/register.html
Source: ffjcext.zip.17.dr	String found in binary or memory: http://www.mozilla.org/2004/em-rdf#
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.mozilla.org/MPL/
Source: ffjcext.zip.17.dr	String found in binary or memory: http://www.mozilla.org/keymaster/gatekeeper/there.is.only.xul
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.mptc.gov.kh/dns_registration.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.mynic.net.my/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.na-nic.com.na/
Source: deploy.jar.17.dr	String found in binary or memory: http://www.netscape.com/newsref/std/cookie_spec.html
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.nexus.hu/upx
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.af/help.jsp
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ag/prices.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.bo/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.bs/rules.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ci/index.php?page=charte
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.cr/niccr_publico/showRegistroDominiosScreen.do
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ec/reg/paso1.asp
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.gh/reg_now.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.gi/rules.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.gm/htmlpages%5Cgm-policy.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.gp/index.php?lang=en
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.hn/politicas/ps02
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ht/info/charte.cfm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.io/rules.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ir/Internationalized_Domain_Names
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ir/Terms_and_Conditions_ir
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.it/documenti/appendice-c.pdf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.it/documenti/regolamenti-e-linee-guida/regolamento-assegnazione-versione-6.0.pdf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.kz/rules/index.jsp
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.lc/rules.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.lk/seclevpr.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.lv/DNS/En/generic.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ly/regulations.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.mc/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.mg/tarif.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.mx/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.net.ge/policy_en.pdf
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.net.sa/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.net.sg/sub_policies_agreement/2ld.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.net.ua/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ni/dominios.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.pa/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.pr/index.asp?f=1
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.priv.at/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.pro/support_faq.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.ps/registration/policy.html#reg
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.py/faq_a.html#faq_b
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.rw/cgi-bin/policy.pl
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.sc/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.sh/rules.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.sl
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.st/html/policyrules/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.tg/nictg/index.php
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.tj/policy.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.tm/rules.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.tt/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.vi/Domain_Rules/body_domain_rules.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.vi/newdomainform.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.nic.yu/pravilnik-e.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.norid.no/regelverk/index.en.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.norid.no/regelverk/vedlegg-b.en.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.norid.no/regelverk/vedlegg-c.en.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.norid.no/regelverk/vedlegg-d.en.html
Source: resources.jar.17.dr	String found in binary or memory: http://www.nue.et-inf.uni-siegen.de/~geuer-pollmann/#xpathFilter
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanism
Source: java.exe	String found in binary or memory: http://www.oracle.com/feature/use-service-mechanismA
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.oracle.com/goto/opensourcecode/request
Source: default.jfc.17.dr, jfr.jar.17.dr, profile.jfc.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jdk/
Source: default.jfc.17.dr, jfr.jar.17.dr, profile.jfc.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jfr-info/
Source: jvm.dll.17.dr, default.jfc.17.dr, jfr.jar.17.dr, profile.jfc.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/
Source: default.jfc.17.dr, profile.jfc.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-errors
Source: default.jfc.17.dr, profile.jfc.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/enable-exceptions
Source: default.jfc.17.dr, profile.jfc.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/file-io-threshold
Source: jvm.dll.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/java/monitor/address
Source: default.jfc.17.dr, profile.jfc.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/socket-io-threshold
Source: jvm.dll.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/code_sweeper/id
Source: jvm.dll.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/compiler/id
Source: jvm.dll.17.dr	String found in binary or memory: http://www.oracle.com/hotspot/jvm/vm/gc/id
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.oracle.com/javafx/pulse/id
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.oracle.com/technetwork/java/javafx/index.html
Source: ssv.dll.17.dr	String found in binary or memory: http://www.oracle.com/technetwork/java/javase/downloads/index.html
Source: Welcome.html.17.dr	String found in binary or memory: http://www.oracle.com/technetwork/java/javase/overview/
Source: jvm.dll.17.dr	String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/
Source: jvm.dll.17.dr	String found in binary or memory: http://www.oracle.com/technetwork/java/javaseproducts/C:
Source: rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/is-standalone
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties//
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/Y
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/elementAttributeLimit
Source: rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/enableExtensionFunctions
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimit
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityExpansionLimitce
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimit9
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/entityReplacementLimits
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/getEntityCountInfo
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxElementDepth3
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxGeneralEntitySizeLimit7
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimit
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxOccurLimitE
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxParameterEntitySizeLimit9
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/maxXMLNameLimit
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/totalEntitySizeLimit
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManager
Source: java.exe	String found in binary or memory: http://www.oracle.com/xml/jaxp/properties/xmlSecurityPropertyManagerh
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.pnina.ps
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.qatar.net.qa/services/virtual.htm
Source: java.exe	String found in binary or memory: http://www.quovadis.bm
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.quovadis.bm0
Source: java.exe	String found in binary or memory: http://www.quovadisglobal.com/cps
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.quovadisglobal.com/cps0
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.reg.uz/registerr.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.registrar.mw/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.registry.co.ug/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.rotld.ro/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.sbnic.net.sb/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.sispa.org.sz/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.soregistry.com/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.svnet.org.sv/svpolicy.html
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://www.symauth.com/cps0(
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: http://www.symauth.com/rpa00
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.telnic.org/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.thnic.co.th
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.twnic.net/english/dn/dn_07a.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.tznic.or.tz/index.php/domains.html
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.una.an/an_domreg/default.asp
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.unicode.org/Public/
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.unicode.org/Public/.
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.unicode.org/cldr/data/.
Source: THIRDPARTYLICENSEREADME-JAVAFX.txt.17.dr	String found in binary or memory: http://www.unicode.org/copyright.html
Source: THIRDPARTYLICENSEREADME-JAVAFX.txt.17.dr, THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.unicode.org/copyright.html.
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.unicode.org/reports/
Source: java.exe	String found in binary or memory: http://www.usertrust.com
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.usertrust.com1
Source: java.exe, cacerts.17.dr	String found in binary or memory: http://www.usertrust.com1604
Source: THIRDPARTYLICENSEREADME.txt.17.dr	String found in binary or memory: http://www.xfree86.org/)
Source: resources.jar.17.dr	String found in binary or memory: http://www.xmlsecurity.org/NS/#configuration
Source: resources.jar.17.dr	String found in binary or memory: http://www.xmlsecurity.org/experimental#
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.y.net.ye/services/domain_name.htm
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.za.net/
Source: jfxrt.jar.17.dr	String found in binary or memory: http://www.zadna.org.za/slds.html
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan
Source: rt.jar.17.dr, resources.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan-j
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan-j/faq.html
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan/features/incremental
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan/features/optimize
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan/java
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan/redirect
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan/xsltc
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan/xsltc/java
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xalan:nodeset
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xslt
Source: rt.jar.17.dr	String found in binary or memory: http://xml.apache.org/xslt/java
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD
Source: java.exe	String found in binary or memory: http://xml.org/sax/features/allow-dtd-events-after-endDTD=
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/external-general-entities
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/external-parameter-entities
Source: rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/namespace-prefixes
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/namespaces
Source: java.exe	String found in binary or memory: http://xml.org/sax/features/namespaces&
Source: rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/string-interning
Source: rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/string-interningfeature
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/use-entity-resolver2
Source: java.exe, rt.jar.17.dr, deploy.jar.17.dr	String found in binary or memory: http://xml.org/sax/features/validation
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/properties/
Source: java.exe	String found in binary or memory: http://xml.org/sax/properties/%
Source: rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/properties/declaration-handler
Source: rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/properties/dom-node
Source: rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/properties/lexical-handler
Source: java.exe, rt.jar.17.dr	String found in binary or memory: http://xml.org/sax/properties/xml-string
Source: rt.jar.17.dr	String found in binary or memory: http://xmlns.oracle.com/webservices/jaxws-databinding
Source: deploy.jar.17.dr	String found in binary or memory: http://xyz.sun.com/
Source: deploy.jar.17.dr	String found in binary or memory: http://xyz.sun.com/ammo/index.html
Source: jfxrt.jar.17.dr, deploy.jar.17.dr, javaws.jar.17.dr	String found in binary or memory: https://
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: https://d.symcb.com/cps0%
Source: ssv.dll.17.dr, prism_sw.dll.17.dr, ktab.exe.17.dr, glass.dll.17.dr	String found in binary or memory: https://d.symcb.com/rpa0
Source: jfxrt.jar.17.dr	String found in binary or memory: https://grweb.ics.forth.gr/english/1617-B-2005.html
Source: deployJava1.dll.17.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/baseline.version%sSoftware
Source: npdeployJava1.dll.17.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/baseline.version%sURLOverridedocumentSoftware
Source: deploy.jar.17.dr	String found in binary or memory: https://javadl-esd-secure.oracle.com/update/securitypack.jar
Source: deployJava1.dll.17.dr	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL%s?BundleId=%s%s
Source: deployJava1.dll.17.dr	String found in binary or memory: https://javadl.oracle.com/webapps/download/AutoDL%s?BundleId=%surl%s%stmp1.8%s.0%s
Source: java.exe	String found in binary or memory: https://jrat.io
Source: java.exe	String found in binary or memory: https://ocsp.quovadisoffshore.com
Source: java.exe, cacerts.17.dr	String found in binary or memory: https://ocsp.quovadisoffshore.com0
Source: deploy.jar.17.dr	String found in binary or memory: https://oracle.com
Source: deploy.jar.17.dr	String found in binary or memory: https://oracle.com/foo/xyz/index.html
Source: deploy.jar.17.dr	String found in binary or memory: https://oracle.com/foobar/xyz/index.html
Source: deploy.jar.17.dr	String found in binary or memory: https://oracle.com/xyz/foo/index.html
Source: jfxrt.jar.17.dr	String found in binary or memory: https://postlister.uninett.no/sympa/info/norid-diskusjon
Source: jfxrt.jar.17.dr	String found in binary or memory: https://register.pandi.or.id/
Source: deploy.dll.17.dr	String found in binary or memory: https://sjremetrics.java.comhttps://prop21visitoridreportsuiteidsuninstallstat
Source: java.exe	String found in binary or memory: https://vvrhhhnaijyj6s2m.onion.top/storage/cryptOutput/0.85281100
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www.dot.vn/vnnic/vnnic/domainregistration.jsp
Source: deploy.jar.17.dr	String found in binary or memory: https://www.example.com/app.html
Source: deploy.jar.17.dr	String found in binary or memory: https://www.example.com/dir/
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www.hkdnr.hk
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www.nic.cd/domain/insertDomain_2.jsp?act=1
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www.nic.es/site_ingles/ingles/dominios/index.html
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www.nic.im/pdfs/imfaqs.pdf
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www.nic.org.mt/dotmt/
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www.nic.pe/InformeFinalComision.pdf
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www.register.bg/user/static/rules/en/index.html
Source: jfxrt.jar.17.dr	String found in binary or memory: https://www2.hkirc.hk/register/rules.jsp

Remote Access Functionality:

ADWIND Rat detected

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext	Jump to dropped file
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Dropped file: Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext	Jump to dropped file

Detected QRat through its decrypted resources patterns

Show sources

Source: Java tracing	QRat decryption behavior: \x00\x1d/com/sylvans/winged/FoodSword602t\x00\x19criminal/26/BPf/VHe/i.TXPuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1f/com/parody/isodose/LagnaDuriont\x00\x10do2gb1eb149f6497t\x00\x19criminal/27/BPf/VHe/i.TXPuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1f/com/parody/bergamot/FraenaAxelt\x00\x1147\xc0\x808717n526225j1t\x00\x19criminal/28/BPf/VHe/i.TXPuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x14/com/sylvans/PierMkst\x00\x10i10c4g9001q22rh0t\x00\x16criminal/0/CA/tP/Cdf.kuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1b/com/sylvans/wilsome/AuxRhat\x00\x10c3f122c8h0200482t\x00\x19criminal/0/PJp/EJ/bQp.KeXuq\x00~\x00\x04\x
Source: Java tracing	QRat decryption behavior: \x00\x1b/com/parody/isodose/HwyDibsskyanintheskyqa.classuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1f/com/sylvans/winged/BayedDirhemt\x00\x10920p3n13l4012b78t\x00\x8ecriminal/0/w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskysa.classuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1c/com/parody/bergamot/AgyHackt\x00\x11e519g61c5\xc0\x805b13ddt\x00\x8ecriminal/0/w/manintheskymanintheskymanintheskymanintheskymanintheskymanintheskymmanintheskymanintheskymanintheskymanintheskyanintheskyfa.classuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1f/com/p
Source: Java tracing	QRat decryption behavior: \x00\x1d/com/parody/bergamot/CorylPktional/iiiiiiiiii.classuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x19/com/sylvans/MaskoiDermadt\x00\x10g31j1b3c422m5bejt\x00(criminal/22/operational/iiiiiiiiii.classuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1c/com/sylvans/winged/CrcTrialt\x00\x11e5e3q3\xc0\x802k601cij3t\x00(criminal/23/operational/iiiiiiiiii.classuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1c/com/sylvans/wilsome/LiinInct\x00\x1012a2174b3ac9656bt\x00(criminal/24/operational/iiiiiiiiii.classuq\x00~\x00\x04\x00\x00\x00\x02t\x00\x1d/com/parody/bergamot/DelhiMaxt\x00\x10ca090a3f2jeh15hpt\x00(criminal/25/operatio

Collects Antivirus and Firewall information (ADWIND Rat suspicion)

Show sources

Source: Java tracing	Executes: java.io.Writer.write(java.lang.String) on Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from AntiVirusProduct")For Each objItem in colItems With objItem WScript.Echo "{""AV"":""" & .displayName & """}" End WithNext
Source: Java tracing	Executes: java.io.Writer.write(java.lang.String) on Set oWMI = GetObject("winmgmts:{impersonationLevel=impersonate}!\\.\root\SecurityCenter2")Set colItems = oWMI.ExecQuery("Select * from FirewallProduct")For Each objItem in colItems With objItem WScript.Echo "{""FIREWALL"":""" & .displayName & """}" End WithNext

Found Adwind RAT configuration as decrypted string

Show sources

Source: Java tracing

AdWind RAT configuration: {"NETWORK":[{"PORT":2112,"DNS":"95.141.43.202"}],"INSTALL":true,"MODULE_PATH":"Oj/doi/Sv.fJn","PLUGIN_FOLDER":"pZEcencXKYF","JRE_FOLDER":"oqGupG","JAR_FOLDER":"JWPPBIkYxgO","JAR_EXTENSION":"PNrLjx","ENCRYPT_KEY":"IijVIHJNTpxDusPYLvdcLtMBG","DELAY_INSTALL":2,"NICKNAME":"VAL","VMWARE":false,"PLUGIN_EXTENSION":"eKfXl","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"TDDKCVVBkyX","JAR_REGISTRY":"mUbvFtJqcGv","DELAY_CONNECT":2,"VBOX":false}

Persistence and Installation Behavior:

Drops files with a non-matching file extension (content does not match file extension)

Show sources

Source: C:\Windows\System32\xcopy.exe

File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl

Jump to dropped file

Drops PE files

Show sources

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\net.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\management.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\java.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll	Jump to dropped file

Creates license or readme file

Show sources

Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\README.txt	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt	Jump to behavior
Source: C:\Windows\System32\xcopy.exe	File created: C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt	Jump to behavior

Data Obfuscation:

Java code performs script evaluation on high entropy strings

Show sources

Source: Java tracing

Executes: javax.script.AbstractScriptEngine.eval(java.lang.String) on com.sylvans.AloPee.toozleAus=com.parody.bergamot.Alarmclock.getWhiffPrius().getDeclaredMethod("defineClass", com.parody.

Launches a Java Jar file from a suspicious file location

Show sources

Source: Java tracing

Executes: java.lang.ProcessBuilder(java.lang.String[]) on c:\program files\java\jre1.8.0_144\bin\java.exe -jar c:\users\herbbl~1\appdata\local\temp\_0.371006104568627153520436261509485928.class

System Summary:

Dropped file seen in connection with other malware

Show sources

Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll EA9D437D0828D399B7FA57BD25F18FC42A0423E35DB0314DB3DC2DF497C9F219
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll 395325970EF0FA1AADCD0BF072A90D28990FB31DD29D70FF8FDA31A7974DE1FB
Source: Joe Sandbox View	Dropped File: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll B2C96DF9961DCCE06BB40185ADE8DA3CC5FBD839DCE92EB0B38CD0D21ABE2D9B

Creates files inside the system directory

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

File created: C:\Windows\System32\test.txt

Jump to behavior

Reads the hosts file

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

File read: C:\Windows\System32\drivers\etc\hosts

Jump to behavior

Classification label

Show sources

Source: classification engine

Classification label: mal96.expl.troj.winJAR@27/212@5/2

Creates files inside the user directory

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

File created: C:\Users\user\fUTkALeaTxM

Jump to behavior

Creates temporary files

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

File created: C:\Users\HERBBL~1\AppData\Local\Temp\hsperfdata_user\3376

Jump to behavior

Executable is probably coded in java

Show sources

Source: C:\Windows\System32\cmd.exe

Section loaded: C:\Program Files\Java\jre1.8.0_144\bin\java.dll

Jump to behavior

Executes visual basic scripts

Show sources

Source: unknown

Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs

Reads software policies

Show sources

Source: C:\Windows\System32\cmd.exe

Key opened: HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

SQL strings found in memory and binary data

Show sources

Source: jfxwebkit.dll.17.dr	Binary or memory string: SELECT quota FROM Origins where origin=?;
Source: jfxwebkit.dll.17.dr	Binary or memory string: SELECT origin FROM Origins where origin=?;
Source: jfxwebkit.dll.17.dr	Binary or memory string: SELECT COUNT(quota), quota FROM Origins WHERE origin=?SELECT SUM(Caches.size) FROM CacheGroups INNER JOIN Origins ON CacheGroups.origin = Origins.origin INNER JOIN Caches ON CacheGroups.id = Caches.cacheGroup WHERE Origins.origin=?PRAGMA user_versionPRAGMA user_version=%dApplicationCache.dbCREATE TABLE IF NOT EXISTS CacheGroups (id INTEGER PRIMARY KEY AUTOINCREMENT, manifestHostHash INTEGER NOT NULL ON CONFLICT FAIL, manifestURL TEXT UNIQUE ON CONFLICT FAIL, newestCache INTEGER, origin TEXT)CREATE TABLE IF NOT EXISTS Caches (id INTEGER PRIMARY KEY AUTOINCREMENT, cacheGroup INTEGER, size INTEGER)CREATE TABLE IF NOT EXISTS CacheWhitelistURLs (url TEXT NOT NULL ON CONFLICT FAIL, cache INTEGER NOT NULL ON CONFLICT FAIL)CREATE TABLE IF NOT EXISTS CacheAllowsAllNetworkRequests (wildcard INTEGER NOT NULL ON CONFLICT FAIL, cache INTEGER NOT NULL ON CONFLICT FAIL)CREATE TABLE IF NOT EXISTS FallbackURLs (namespace TEXT NOT NULL ON CONFLICT FAIL, fallbackURL TEXT NOT NULL ON CONFLICT FAIL, cache INTEGER NOT NULL ON CONF
Source: jfxwebkit.dll.17.dr	Binary or memory string: SELECT path FROM Databases WHERE origin=? AND name=?;
Source: jfxwebkit.dll.17.dr	Binary or memory string: CREATE TABLE Origins (origin TEXT UNIQUE ON CONFLICT REPLACE, quota INTEGER NOT NULL ON CONFLICT FAIL);
Source: jfxwebkit.dll.17.dr	Binary or memory string: INSERT INTO Databases (origin, name, path) VALUES (?, ?, ?);
Source: jfxwebkit.dll.17.dr	Binary or memory string: CREATE TABLE Databases (guid INTEGER PRIMARY KEY AUTOINCREMENT, origin TEXT, name TEXT, displayName TEXT, estimatedSize INTEGER, path TEXT);
Source: jfxwebkit.dll.17.dr	Binary or memory string: SELECT guid FROM Databases WHERE origin=? AND name=?;
Source: jfxwebkit.dll.17.dr	Binary or memory string: SELECT name FROM sqlite_master WHERE type='table';
Source: jfxwebkit.dll.17.dr	Binary or memory string: SELECT name FROM Databases where origin=?;
Source: jfxwebkit.dll.17.dr	Binary or memory string: CREATE TABLE Origins (origin TEXT UNIQUE ON CONFLICT REPLACE, path TEXT);

Sample is known by Antivirus (Virustotal or Metascan)

Show sources

Source: NEW ORDER .LIST 105.jar

Virustotal: hash found

Spawns processes

Show sources

Source: unknown	Process created: C:\Windows\System32\cmd.exe C:\Windows\system32\cmd.exe /c ''C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -javaagent:'C:\Users\HERBBL~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\NEW ORDER .LIST 105.jar'' >> C:\cmdlinestart.log 2>&1
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_144\bin\java.exe 'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -javaagent:'C:\Users\HERBBL~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\NEW ORDER .LIST 105.jar'
Source: unknown	Process created: C:\Program Files\Java\jre1.8.0_144\bin\java.exe 'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -jar C:\Users\HERBBL~1\AppData\Local\Temp\_0.371006104568627153520436261509485928.class
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs
Source: unknown	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: unknown	Process created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Source: unknown	Process created: C:\Windows\System32\cmd.exe cmd.exe
Source: C:\Windows\System32\cmd.exe	Process created: C:\Program Files\Java\jre1.8.0_144\bin\java.exe 'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -javaagent:'C:\Users\HERBBL~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\NEW ORDER .LIST 105.jar'	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process created: C:\Program Files\Java\jre1.8.0_144\bin\java.exe 'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -jar C:\Users\HERBBL~1\AppData\Local\Temp\_0.371006104568627153520436261509485928.class	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process created: C:\Windows\System32\xcopy.exe xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process created: C:\Windows\System32\cmd.exe cmd.exe	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process created: C:\Windows\System32\cscript.exe cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs	Jump to behavior

Uses an in-process (OLE) Automation server

Show sources

Source: C:\Windows\System32\cscript.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\CLSID\{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32

Jump to behavior

Uses new MSVCR Dlls

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

File opened: C:\Program Files\Java\jre1.8.0_144\bin\msvcr100.dll

Jump to behavior

Binary contains paths to debug symbols

Show sources

Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libinstrument\instrument.pdb source: instrument.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libawt\awt.pdb source: awt.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libnpt\npt.pdbY" source: npt.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libj2pcsc\j2pcsc.pdb source: j2pcsc.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdb4 source: npjp2.dll.17.dr
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdbP8PP@Y source: java.exe
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libnet\net.pdb source: net.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libmanagement\management.pdby: source: management.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libnio\nio.pdbic source: nio.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\servertool_objs\servertool.pdb source: servertool.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\rmiregistry_objs\rmiregistry.pdb source: rmiregistry.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\java-rmi_objs\java-rmi.pdb source: java-rmi.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb0 source: javacpl.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdb< source: jp2iexp.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libfontmanager\fontmanager.pdb@ source: fontmanager.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\java_objs\java.pdb source: java.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\ssvagent\obj\ssvagent.pdb source: ssvagent.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libj2pkcs11\j2pkcs11.pdb source: j2pkcs11.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libresource\resource.pdb source: resource.dll.17.dr
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: java.exe
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\ktab_objs\ktab.pdb source: ktab.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libsplashscreen\splashscreen.pdb source: splashscreen.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\javacpl\obj\javacpl.pdb source: javacpl.cpl.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjava\java.pdb source: java.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\deployJava1\obj\deployJava1.pdb source: deployJava1.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\deployJava1\obj\deployJava1.pdbL source: deployJava1.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libnet\net.pdby source: net.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libkcms\kcms.pdb source: kcms.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdbp*A source: jp2launcher.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libt2k\t2k.pdb source: t2k.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb9' source: w2k_lsa_auth.dll.17.dr
Source:	Binary string: C:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\hotspot\windows_i486_compiler1\product\jvm.pdb source: jvm.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\jp2iexp\obj\jp2iexp.pdb source: jp2iexp.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libmanagement\management.pdb source: management.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjfr\jfr.pdb source: jfr.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\jp2launcher\obj\jp2launcher.pdb source: jp2launcher.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\jp2native\obj\jp2native.pdb source: jp2native.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\orbd_objs\orbd.pdb source: orbd.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdb source: hprof.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\jabswitch\jabswitch.pdb source: jabswitch.exe.17.dr
Source:	Binary string: msvcr100.i386.pdb source: msvcr100.dll0.17.dr, msvcr100.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libbci\bci.pdb source: bci.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\klist_objs\klist.pdb source: klist.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libdt_shmem\dt_shmem.pdb source: dt_shmem.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjaas\jaas_nt.pdb source: jaas_nt.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjdwp\jdwp.pdb source: jdwp.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\kinit_objs\kinit.pdb source: kinit.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libawt\awt.pdb8^ source: awt.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjsound\jsound.pdb source: jsound.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\unpackexe\unpack200.pdb source: unpack200.exe.17.dr
Source:	Binary string: C:\Users\Win10\Desktop\RetriveTitle_vb2010\Release\TitleWindow.pdb source: java.exe
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjawtaccessbridge\JAWTAccessBridge.pdb source: JAWTAccessBridge.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\eula\obj\eula.pdb source: eula.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjawt\jawt.pdb source: jawt.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjli\jli.pdb source: jli.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\keytool_objs\keytool.pdb source: keytool.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\liblcms\lcms.pdb source: lcms.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libnio\nio.pdb source: nio.dll.17.dr
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\Release\CryptUtil.pdb source: java.exe
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libdcpr\dcpr.pdb source: dcpr.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdb9 source: mlib_image.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjfr\jfr.pdby* source: jfr.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libnpt\npt.pdb source: npt.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libsunmscapi\sunmscapi.pdb source: sunmscapi.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libsunec\sunec.pdb source: sunec.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libwindowsaccessbridge\WindowsAccessBridge.pdb source: WindowsAccessBridge.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\java_objs\java.pdbp source: java.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjpeg\jpeg.pdb) source: jpeg.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\ssv\obj\ssv.pdb source: ssv.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libmlib_image\mlib_image.pdb source: mlib_image.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\tnameserv_objs\tnameserv.pdb source: tnameserv.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\javacplexec\obj\javacpl.pdb source: javacpl.exe.17.dr
Source:	Binary string: msvcp120.i386.pdb source: msvcp120.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\eula\obj\eula.pdb0 source: eula.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libunpack\unpack.pdb source: unpack.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjavaaccessbridge\JavaAccessBridge.pdb source: JavaAccessBridge.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjsoundds\jsoundds.pdb source: jsoundds.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libsunmscapi\sunmscapi.pdbi/ source: sunmscapi.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libzip\zip.pdb source: zip.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\jre-image\bin\javaws.pdb source: javaws.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\javacpl\obj\javacpl.pdb4 source: javacpl.cpl.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\pack200_objs\pack200.pdb source: pack200.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb98 source: java_crw_demo.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\deploy\plugin\npdeployJava1\obj\npdeployJava1.pdb source: npdeployJava1.dll.17.dr
Source:	Binary string: msvcr120.i386.pdb source: msvcr120.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjpeg\jpeg.pdb source: jpeg.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\javaw_objs\javaw.pdb source: javaw.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\jjs_objs\jjs.pdb source: jjs.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libdt_socket\dt_socket.pdb source: dt_socket.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\jre-image\bin\deploy.pdb source: deploy.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\npjp2\obj\npjp2.pdb source: npjp2.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\jp2ssv\obj\jp2ssv.pdb source: jp2ssv.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libkrb5\w2k_lsa_auth.pdb source: w2k_lsa_auth.dll.17.dr
Source:	Binary string: C:\Users\Windows10\Desktop\RetriveTitle\x64\Release\TitleWindow.pdb source: java.exe
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libhprof_jvmti\hprof.pdbi source: hprof.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libunpack\unpack.pdbY source: unpack.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libfontmanager\fontmanager.pdb source: fontmanager.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjsdt\jsdt.pdb source: jsdt.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\rmid_objs\rmid.pdb source: rmid.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjava_crw_demo\java_crw_demo.pdb source: java_crw_demo.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\deploy\tmp\jp2ssv\obj\jp2ssv.pdb source: jp2ssv.dll.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libverify\verify.pdb source: verify.dll.17.dr
Source:	Binary string: C:\Users\Windows10\Desktop\CryptUtil_DLL_Visual Studio 10\x64\Release\CryptUtil.pdb source: java.exe
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\policytool_objs\policytool.pdb source: policytool.exe.17.dr
Source:	Binary string: c:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\build\windows-i586\jdk\objs\libjsound\jsound.pdbIC source: jsound.dll.17.dr

HIPS / PFW / Operating System Protection Evasion:

May try to detect the Windows Explorer process (often used for injection)

Show sources

Source: cmd.exe, java.exe	Binary or memory string: Progman
Source: deploy.dll.17.dr	Binary or memory string: [mwndProcID was NULL in mainLoop()wndProc(JIJJ)JNULL != hIcon../../src/common/windows/native/WindowsJavaTrayIcon.cppTrayNotifyWndShell_TrayWndUnable to Start Java Plug-in Control Panel%s\javacpl.exeJava Sys Tray
Source: cmd.exe, java.exe	Binary or memory string: Program Manager
Source: cmd.exe, java.exe	Binary or memory string: Shell_TrayWnd

Anti Debugging:

Checks for kernel debuggers (NtQuerySystemInformation(SystemKernelDebuggerInformation))

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

System information queried: KernelDebuggerInformation

Jump to behavior

Creates guard pages, often used to prevent reverse engineering and debugging

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

Memory protected: page read and write and page guard

Jump to behavior

Malware Analysis System Evasion:

Found dropped PE file which has not been started or loaded

Show sources

Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcr120.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\msvcp120.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll	Jump to dropped file
Source: C:\Windows\System32\xcopy.exe	Dropped PE file which has not been started: C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll	Jump to dropped file

May sleep (evasive loops) to hinder dynamic analysis

Show sources

Source: C:\Windows\System32\cscript.exe TID: 3660	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\cscript.exe TID: 3704	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\cscript.exe TID: 3792	Thread sleep time: -60000s >= -60000s	Jump to behavior
Source: C:\Windows\System32\cscript.exe TID: 3852	Thread sleep time: -60000s >= -60000s	Jump to behavior

May try to detect the virtual machine to hinder analysis (VM artifact strings found in memory)

Show sources

Source: java.exe	Binary or memory string: VmCipher.AES_256/CFB/NoPadding
Source: jdwp.dll.17.dr	Binary or memory string: JVM version %s (%s, %s)<unknown>VirtualMachineImpl.cRedefineClassesGetTopThreadGroupsJNI_FALSENewStringUTF;DeleteWeakGlobalRefsignature bagsignaturesclassTrack.cloaded classesclassTrack tableNewWeakGlobalRefsignatureKlassNodeAttempting to insert duplicate classloaded classes arraySetTagcommonRef.cDeleteGlobalRefFreeing %d (%x)
Source: jvm.dll.17.dr	Binary or memory string: _well_known_klasses[SystemDictionary::VirtualMachineError_klass_knum]
Source: java.exe	Binary or memory string: %com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe	Binary or memory string: VMWARE
Source: rt.jar.17.dr	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.class
Source: jvm.dll.17.dr	Binary or memory string: Unable to link/verify VirtualMachineError class
Source: jvm.dll.17.dr	Binary or memory string: m{constant pool}CodeCache Oops C-heap JNIHandles MetaspaceAux SystemDictionary CodeCache StringTable SymbolTable Heap Threads [Verifying Genesis-2147483648Unable to link/verify Finalizer.register methodUnable to link/verify ClassLoader.addClass methodProtectionDomain.impliesCreateAccessControlContext() has the wrong linkageUnable to link/verify Unsafe.throwIllegalAccessError methodJava heap space: failed reallocation of scalar replaced objectsGC overhead limit exceededRequested array size exceeds VM limitCompressed class spaceJava heap spaceUnable to link/verify VirtualMachineError classC:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\hotspot\src\share\vm\oops\arrayKlass.cpp[]guarantee(component_mirror()->klass() != NULL) failedshould have a classC:\workspace\8-2-build-windows-i586-cygwin\jdk8u144\9417\hotspot\src\share\vm\gc_interface/collectedHeap.inline.hpp - length: %dguarantee(a->length() >= 0) failedarray with negative length?guarantee(obj->is_array()) failedmust be arrayshould be klassguarantee
Source: jvm.dll.17.dr, classlist.17.dr	Binary or memory string: java/lang/VirtualMachineError
Source: rt.jar.17.dr	Binary or memory string: #com/sun/corba/se/impl/util/SUNVMCID
Source: java.exe	Binary or memory string: VMWARE0
Source: java.exe	Binary or memory string: {"NETWORK":[{"PORT":7777,"DNS":"127.0.0.1"}],"INSTALL":false,"MODULE_PATH":"zS/lq/BTk.GI","PLUGIN_FOLDER":"DdWDtpinxpf","JRE_FOLDER":"HSIROD","JAR_FOLDER":"fUTkALeaTxM","JAR_EXTENSION":"Vybgol","ENCRYPT_KEY":"cPFjgddXIBcXBCIseEuXTZjwi","DELAY_INSTALL":2,"NICKNAME":"User","VMWARE":false,"PLUGIN_EXTENSION":"DhjWU","WEBSITE_PROJECT":"https://jrat.io","JAR_NAME":"uiylKSALYJr","JAR_REGISTRY":"WLyQyhWoosi","DELAY_CONNECT":2,"VBOX":false}
Source: jdwp.dll.17.dr	Binary or memory string: VirtualMachineImpl.c
Source: nashorn.jar.17.dr	Binary or memory string: d/gQemu
Source: java.exe	Binary or memory string: java/lang/VirtualMachineError.classPK
Source: java.exe	Binary or memory string: VMWARES
Source: java.exe, classes.jsa.17.dr	Binary or memory string: cjava/lang/VirtualMachineError
Source: java.exe	Binary or memory string: com/sun/corba/se/impl/util/SUNVMCID.classPK
Source: java.exe	Binary or memory string: org/omg/CORBA/OMGVMCID.classPK
Source: rt.jar.17.dr	Binary or memory string: )com/sun/corba/se/impl/util/SUNVMCID.class
Source: java.exe	Binary or memory string: 6aq[Ljava/lang/VirtualMachineError;

Hooking and other Techniques for Hiding and Protection:

Disables application error messsages (SetErrorMode)

Show sources

Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cmd.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior
Source: C:\Windows\System32\cscript.exe	Process information set: NOOPENFILEERRORBOX	Jump to behavior

Lowering of HIPS / PFW / Operating System Security Settings:

Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)

Show sources

Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from AntiVirusProduct
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct
Source: C:\Windows\System32\cscript.exe	WMI Queries: IWbemServices::ExecQuery - Select * from FirewallProduct

Language, Device and Operating System Detection:

Queries the cryptographic machine GUID

Show sources

Source: C:\Program Files\Java\jre1.8.0_144\bin\java.exe

Key value queried: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Cryptography MachineGuid

Jump to behavior

Behavior Graph

Simulations

Behavior and APIs

Time	Type	Description
09:12:53	API Interceptor	1025x Sleep call for process: cmd.exe modified
09:12:53	API Interceptor	2x Sleep call for process: java.exe modified
09:13:19	API Interceptor	8x Sleep call for process: cscript.exe modified

Antivirus Detection

Initial Sample

Source	Detection	Scanner	Label	Link
NEW ORDER .LIST 105.jar	43%	virustotal		Browse

Dropped Files

Source	Detection	Scanner	Link
C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll	0%	virustotal	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll	0%	metadefender	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll	0%	virustotal	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll	0%	metadefender	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll	0%	virustotal	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll	0%	metadefender	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll	0%	virustotal	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	0%	virustotal	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll	0%	metadefender	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll	0%	virustotal	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll	0%	metadefender	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll	0%	virustotal	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	0%	virustotal	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll	0%	metadefender	Browse

Unpacked PE Files

No Antivirus matches

Domains

Source	Detection	Scanner	Label	Link
vvrhhhnaijyj6s2m.onion.top	13%	virustotal		Browse

Yara Overview

Initial Sample

No yara matches

PCAP (Network Traffic)

No yara matches

Dropped Files

No yara matches

Memory Dumps

No yara matches

Unpacked PEs

No yara matches

Joe Sandbox View / Context

IPs

No context

Domains

No context

ASN

No context

Dropped Files

Match	Associated Sample Name / URL	SHA 256	Detection	Link
C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll	Ship_DocsXXXBLX384_pdf_.jar	a6f75b5b4f7a49657b6cafffbde06cf84a39cc246f21086345d6307eec35229e	malicious	Browse
	Tax Invoice.jar	b667645597164100fe44d0814bc5af4ab014002b0e4bf903ae423063c5966e08	malicious	Browse
	0.628554001502139784.jar	b21c6a312f46085d591c9b1b880e26f4a4f416738c929646d81d900a829195d7	malicious	Browse
	Product Specification PO.doc	f70ab7562e2279c68ba4f8d7a897ccf6216ed1c8e69da10a650ba8c7edece2ed	malicious	Browse
	http://www.cometrosinc.com/images/bbbbbbbb/INVOICE-28302.jar		malicious	Browse
	Proforma40773100 1507328765.jar	09a69d56590a140ecde8e1cceed5083472ff6141afa67c225e5640eda73cd3c9	malicious	Browse
	sjfCpLkZK.jar	c3abf2c78674aae73b3f6ebf6d8394fbd3ac06c053dab8dde3d9322d9510627c	malicious	Browse
	http://futra.com.au/0.359970001511742001.jar		malicious	Browse
	cenovnik.jar	0020925076786475c6eb0e72a0c8d9b894b0251bf858231a0a107e3cc29aeede	malicious	Browse
	vAv2DueP9C.jar	754e38b15463310e66510a68846a6cb52a3694613a110a5b356a9a8fb659ce1e	malicious	Browse
	zbQfs1N7S.jar	b30fe3ba0d2472b4f89714ce0c6990576dafe6a0aff78d1da8c1534130f5d1b5	malicious	Browse
	bad.jar	dac5b25ed447e764d536bd1a1543c9851198bfda1a6ca66f207f15ea7934970b	malicious	Browse
	wOwiK07Mv.jar	5a48320c3e3dd5976aaf59ff2dfe7eb431590c3544717fb62d71f89a40fb3e03	malicious	Browse
	011292018.jar	16d23e425ced47509cae61d92c91dc1f295928ab79accbcae6dbb2c80bac45db	malicious	Browse
	tiwit.jar	c1eff22424b6768bafb98930f144b1000691cf2be2dfb7cf654cff4590814c9f	malicious	Browse
	71DXX.exeQSQ.exe	01f89a19d84d39e8d1e9540ffdd885f9b077c9ab66372149532d7d6dd1f467e2	malicious	Browse
	Swift copy 27.02.18_pdf.jar	e27ac656a0ca2cef5f55b91cfaddae093353eed4d91750a705c1219790bfbb47	malicious	Browse
	CONT_WX_BAS.jar	5fe771916df7152c4d1a9d04d325fd3e69f6daa1e381f89d62565b1080be3563	malicious	Browse
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse
	Scan0001385.jar	ef52000d54132b676acca091781b1e3b1ea3bead7170cc72f9a3ce1d6a9af4c6	malicious	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll	Ship_DocsXXXBLX384_pdf_.jar	a6f75b5b4f7a49657b6cafffbde06cf84a39cc246f21086345d6307eec35229e	malicious	Browse
	Tax Invoice.jar	b667645597164100fe44d0814bc5af4ab014002b0e4bf903ae423063c5966e08	malicious	Browse
	0.628554001502139784.jar	b21c6a312f46085d591c9b1b880e26f4a4f416738c929646d81d900a829195d7	malicious	Browse
	Product Specification PO.doc	f70ab7562e2279c68ba4f8d7a897ccf6216ed1c8e69da10a650ba8c7edece2ed	malicious	Browse
	http://www.cometrosinc.com/images/bbbbbbbb/INVOICE-28302.jar		malicious	Browse
	Proforma40773100 1507328765.jar	09a69d56590a140ecde8e1cceed5083472ff6141afa67c225e5640eda73cd3c9	malicious	Browse
	sjfCpLkZK.jar	c3abf2c78674aae73b3f6ebf6d8394fbd3ac06c053dab8dde3d9322d9510627c	malicious	Browse
	http://futra.com.au/0.359970001511742001.jar		malicious	Browse
	cenovnik.jar	0020925076786475c6eb0e72a0c8d9b894b0251bf858231a0a107e3cc29aeede	malicious	Browse
	vAv2DueP9C.jar	754e38b15463310e66510a68846a6cb52a3694613a110a5b356a9a8fb659ce1e	malicious	Browse
	zbQfs1N7S.jar	b30fe3ba0d2472b4f89714ce0c6990576dafe6a0aff78d1da8c1534130f5d1b5	malicious	Browse
	bad.jar	dac5b25ed447e764d536bd1a1543c9851198bfda1a6ca66f207f15ea7934970b	malicious	Browse
	wOwiK07Mv.jar	5a48320c3e3dd5976aaf59ff2dfe7eb431590c3544717fb62d71f89a40fb3e03	malicious	Browse
	011292018.jar	16d23e425ced47509cae61d92c91dc1f295928ab79accbcae6dbb2c80bac45db	malicious	Browse
	tiwit.jar	c1eff22424b6768bafb98930f144b1000691cf2be2dfb7cf654cff4590814c9f	malicious	Browse
	49Order List.exe	aef4d513540180a040da1a8e6c43a67eac3d627236feec8ebe3aafade6d0c6c0	malicious	Browse
	71DXX.exeQSQ.exe	01f89a19d84d39e8d1e9540ffdd885f9b077c9ab66372149532d7d6dd1f467e2	malicious	Browse
	Swift copy 27.02.18_pdf.jar	e27ac656a0ca2cef5f55b91cfaddae093353eed4d91750a705c1219790bfbb47	malicious	Browse
	CONT_WX_BAS.jar	5fe771916df7152c4d1a9d04d325fd3e69f6daa1e381f89d62565b1080be3563	malicious	Browse
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse
C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll	Ship_DocsXXXBLX384_pdf_.jar	a6f75b5b4f7a49657b6cafffbde06cf84a39cc246f21086345d6307eec35229e	malicious	Browse
	Tax Invoice.jar	b667645597164100fe44d0814bc5af4ab014002b0e4bf903ae423063c5966e08	malicious	Browse
	0.628554001502139784.jar	b21c6a312f46085d591c9b1b880e26f4a4f416738c929646d81d900a829195d7	malicious	Browse
	Product Specification PO.doc	f70ab7562e2279c68ba4f8d7a897ccf6216ed1c8e69da10a650ba8c7edece2ed	malicious	Browse
	http://www.cometrosinc.com/images/bbbbbbbb/INVOICE-28302.jar		malicious	Browse
	Proforma40773100 1507328765.jar	09a69d56590a140ecde8e1cceed5083472ff6141afa67c225e5640eda73cd3c9	malicious	Browse
	sjfCpLkZK.jar	c3abf2c78674aae73b3f6ebf6d8394fbd3ac06c053dab8dde3d9322d9510627c	malicious	Browse
	http://futra.com.au/0.359970001511742001.jar		malicious	Browse
	cenovnik.jar	0020925076786475c6eb0e72a0c8d9b894b0251bf858231a0a107e3cc29aeede	malicious	Browse
	vAv2DueP9C.jar	754e38b15463310e66510a68846a6cb52a3694613a110a5b356a9a8fb659ce1e	malicious	Browse
	zbQfs1N7S.jar	b30fe3ba0d2472b4f89714ce0c6990576dafe6a0aff78d1da8c1534130f5d1b5	malicious	Browse
	bad.jar	dac5b25ed447e764d536bd1a1543c9851198bfda1a6ca66f207f15ea7934970b	malicious	Browse
	wOwiK07Mv.jar	5a48320c3e3dd5976aaf59ff2dfe7eb431590c3544717fb62d71f89a40fb3e03	malicious	Browse
	011292018.jar	16d23e425ced47509cae61d92c91dc1f295928ab79accbcae6dbb2c80bac45db	malicious	Browse
	tiwit.jar	c1eff22424b6768bafb98930f144b1000691cf2be2dfb7cf654cff4590814c9f	malicious	Browse
	49Order List.exe	aef4d513540180a040da1a8e6c43a67eac3d627236feec8ebe3aafade6d0c6c0	malicious	Browse
	71DXX.exeQSQ.exe	01f89a19d84d39e8d1e9540ffdd885f9b077c9ab66372149532d7d6dd1f467e2	malicious	Browse
	Swift copy 27.02.18_pdf.jar	e27ac656a0ca2cef5f55b91cfaddae093353eed4d91750a705c1219790bfbb47	malicious	Browse
	CONT_WX_BAS.jar	5fe771916df7152c4d1a9d04d325fd3e69f6daa1e381f89d62565b1080be3563	malicious	Browse
	5Hzr1MXNCp.jar	877ad7ee754dfa9949c7881ac202fab8fba0bcb53564b91f471e6e697d5002d0	malicious	Browse

Screenshots

Startup

System is w7

cmd.exe (PID: 3348 cmdline: C:\Windows\system32\cmd.exe /c ''C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -javaagent:'C:\Users\HERBBL~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\NEW ORDER .LIST 105.jar'' >> C:\cmdlinestart.log 2>&1 MD5: AD7B9C14083B52BC532FBA5948342B98)

java.exe (PID: 3376 cmdline: 'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -javaagent:'C:\Users\HERBBL~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\NEW ORDER .LIST 105.jar' MD5: 02E26F23B34336225FB5E33DB36BF08C)

java.exe (PID: 3480 cmdline: 'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -jar C:\Users\HERBBL~1\AppData\Local\Temp\_0.371006104568627153520436261509485928.class MD5: 02E26F23B34336225FB5E33DB36BF08C)

cmd.exe (PID: 3564 cmdline: cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 3600 cmdline: cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)

cmd.exe (PID: 3728 cmdline: cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 3752 cmdline: cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)

xcopy.exe (PID: 3860 cmdline: xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e MD5: 361D273773994ED11A6F1E51BBB4277E)

cmd.exe (PID: 3908 cmdline: cmd.exe MD5: AD7B9C14083B52BC532FBA5948342B98)

cmd.exe (PID: 3608 cmdline: cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 3628 cmdline: cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)

cmd.exe (PID: 3760 cmdline: cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs MD5: AD7B9C14083B52BC532FBA5948342B98)

cscript.exe (PID: 3816 cmdline: cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs MD5: A3A35EE79C64A640152B3113E6E254E2)

xcopy.exe (PID: 3876 cmdline: xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e MD5: 361D273773994ED11A6F1E51BBB4277E)

cleanup

Created / dropped Files

C:\ProgramData\Oracle\Java\.oracle_jre_usage\17dfc292991c7c46.timestamp
Process:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	51
Entropy (8bit):	4.735671665288803
Encrypted:	false
MD5:	15BCF6481FED4F353820F571729534E9
SHA1:	E0571BAA41C34711669DCF1477E738A1FACF50E9
SHA-256:	FC54CDE1FEAB3081C7EAB425B6C0A7F4667485C0C6904CC69B83C3F852878CD2
SHA-512:	3D96185E9F09CECB07CBED426A502E3E4EB4C11DC95346D03B716947EB99C9A94B0C238855D2973F59A3E395F41BB4261C1C63F8E20D99D4F1374AF2B9EB3D26
Malicious:	false
Reputation:	low

C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs
Process:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	281
Entropy (8bit):	5.093300055314051
Encrypted:	false
MD5:	A32C109297ED1CA155598CD295C26611
SHA1:	DC4A1FDBAAD15DDD6FE22D3907C6B03727B71510
SHA-256:	45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
SHA-512:	70372552DC86FE02ECE9FE3B7721463F80BE07A34126B2C75B41E30078CDA9E90744C7D644DF623F63D4FB985482E345B3351C4D3DA873162152C67FC6ECC887
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs
Process:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	281
Entropy (8bit):	5.093300055314051
Encrypted:	false
MD5:	A32C109297ED1CA155598CD295C26611
SHA1:	DC4A1FDBAAD15DDD6FE22D3907C6B03727B71510
SHA-256:	45BFE34AA3EF932F75101246EB53D032F5E7CF6D1F5B4E495334955A255F32E7
SHA-512:	70372552DC86FE02ECE9FE3B7721463F80BE07A34126B2C75B41E30078CDA9E90744C7D644DF623F63D4FB985482E345B3351C4D3DA873162152C67FC6ECC887
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs
Process:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	276
Entropy (8bit):	5.064973526456737
Encrypted:	false
MD5:	3BDFD33017806B85949B6FAA7D4B98E4
SHA1:	F92844FEE69EF98DB6E68931ADFAA9A0A0F8CE66
SHA-256:	9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
SHA-512:	AE5E5686AE71EDEF53E71CD842CB6799E4383B9C238A5C361B81647EFA128D2FEDF3BF464997771B5B0C47A058FECAE7829AEEDCD098C80A11008581E5781429
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs
Process:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	276
Entropy (8bit):	5.064973526456737
Encrypted:	false
MD5:	3BDFD33017806B85949B6FAA7D4B98E4
SHA1:	F92844FEE69EF98DB6E68931ADFAA9A0A0F8CE66
SHA-256:	9DA575DD2D5B7C1E9BAB8B51A16CDE457B3371C6DCDB0537356CF1497FA868F6
SHA-512:	AE5E5686AE71EDEF53E71CD842CB6799E4383B9C238A5C361B81647EFA128D2FEDF3BF464997771B5B0C47A058FECAE7829AEEDCD098C80A11008581E5781429
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\HERBBL~1\AppData\Local\Temp\_0.371006104568627153520436261509485928.class
Process:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
File Type:	Java Jar file data (zip)
Size (bytes):	247088
Entropy (8bit):	7.977146417027947
Encrypted:	false
MD5:	781FB531354D6F291F1CCAB48DA6D39F
SHA1:	9CE4518EBCB5BE6D1F0B5477FA00C26860FE9A68
SHA-256:	97D585B6AFF62FB4E43E7E6A5F816DCD7A14BE11A88B109A9BA9E8CD4C456EB9
SHA-512:	3E6630F5FEB4A3EB1DAC7E9125CE14B1A2A45D7415CF44CEA42BC51B2A9AA37169EE4A4C36C888C8F2696E7D6E298E2AD7B2F4C22868AAA5948210EB7DB220D8
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Roaming\Oracle\COPYRIGHT
Process:	C:\Windows\System32\xcopy.exe
File Type:	ISO-8859 text
Size (bytes):	3244
Entropy (8bit):	4.5048923444191455
Encrypted:	false
MD5:	3DC1BFBD5BED75D650AD0506A0DF5930
SHA1:	8E79323389B9BC4B6AAD357B8BFAAB6A518FB82E
SHA-256:	621F7616B5E8538ABBC26667F28C25650A5B239A4F1ECA981F5DD60B8DA9B589
SHA-512:	74F077BC149AA459E480B5EE6117876CF67CD17D290E90F0A6045F687C42DD4E9F12133CE2459EAF905BD053E5EBA587C042040C84DA9CD2A26E415FC388B148
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Roaming\Oracle\LICENSE
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	40
Entropy (8bit):	4.208694969562841
Encrypted:	false
MD5:	98F46AB6481D87C4D77E0E91A6DBC15F
SHA1:	3E86865DEEC0814C958BCF7FB87F790BCCC0E8BD
SHA-256:	23F9A5C12FA839650595A32872B7360B9E030C7213580FB27DD9185538A5828C
SHA-512:	AC2C14C56EEA2024FCF7E871D25BCC323A40A2D1D95059C67EC231BCD710ACB8B798A8C107AAD60AAA3F14A64AA0355769AB86A481141D9A185E22CE049A91B7
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Roaming\Oracle\README.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	46
Entropy (8bit):	4.197049999347145
Encrypted:	false
MD5:	0F1123976B959AC5E8B89EB8C245C4BD
SHA1:	F90331DF1E5BADEADC501D8DD70714C62A920204
SHA-256:	963095CF8DB76FB8071FD19A3110718A42F2AB42B27A3ADFD9EC58981C3E88D2
SHA-512:	E9136FDF42A4958138732318DF0B4BA363655D97F8449703A3B3A40DDB40EEFF56363267D07939889086A500CB9C9AAF887B73EEAD06231269116110A0C0A693
Malicious:	false
Reputation:	moderate, very likely benign file

C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME-JAVAFX.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	UTF-8 Unicode (with BOM) text, with very long lines
Size (bytes):	63933
Entropy (8bit):	4.755223491638325
Encrypted:	false
MD5:	4F31CD1A5D86744D5F00666D9A57AD2A
SHA1:	17D0B343CFB2E54BBEC7AF17F247A8BCB72D946B
SHA-256:	7F841E514BA8D2F30D90C63C8CD93AC516428C9326D571F9F3EFBAE8BD72BA96
SHA-512:	D87034237DFA3B22B4B510A98DE091B30D2ACB1DC32784C71932703A048C5EB862EDD376C2B4FC879E49D726345EEF6863AA7F24C9A7E7CEF9FD7A30960438F1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\THIRDPARTYLICENSEREADME.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	UTF-8 Unicode text
Size (bytes):	145180
Entropy (8bit):	5.0247000630968905
Encrypted:	false
MD5:	CD63A2745CDFC4E6EB7B40A16AFC5326
SHA1:	03538F98566F2BA5523B3CFF4341396BB59252F9
SHA-256:	DC3982C5EE4CB1AEFDA63468C19D8AA60C80CD9FEC7E7209816F78AB29BC9FB0
SHA-512:	7036034F99D2A6AD507CE4DF7DF183D5EAC82861FB79555EEC0EB6207C9463670E2618C56636E7385D63A890B41CFA590C38908BE7D5DA8FB1550DFF0CFBF093
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\Welcome.html
Process:	C:\Windows\System32\xcopy.exe
File Type:	HTML document, ASCII text
Size (bytes):	955
Entropy (8bit):	5.094001412859534
Encrypted:	false
MD5:	7A329F25E9CC132C673CD134E8134B0D
SHA1:	634D69FDD1E9B824A1E92DA00FDB6201A6D302AC
SHA-256:	6F3F130AA22B3CBEAD959E5CF0F7F626B96539EECA56BED60768E91A77823363
SHA-512:	99C9026924558381CAB0D1CD1F351D977F82953C1AB1BC99DAFE543D81DB702A1F30527DD7E33BD99219CDC21DC05688898C39E8070658AC185F82DAA3F526A4
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\JAWTAccessBridge.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	14912
Entropy (8bit):	6.134860281825746
Encrypted:	false
MD5:	5AC1ACB7FA3D3CF55C1E460D9BE8AB47
SHA1:	BB669135FAA8ADF24AA8ECBCAF5BA84A0DE5A9BF
SHA-256:	EA9D437D0828D399B7FA57BD25F18FC42A0423E35DB0314DB3DC2DF497C9F219
SHA-512:	EA37D04B0CDE218123D4275B4A1D7B4010EA00A85D598EBD87ED86877513E13192CED95791180261C76A67A8FE3A630A3F1D198EE32D2BDEE83E56605239551E
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
Joe Sandbox View:	Filename: Ship_DocsXXXBLX384_pdf_.jar, Detection: malicious, Browse Filename: Tax Invoice.jar, Detection: malicious, Browse Filename: 0.628554001502139784.jar, Detection: malicious, Browse Filename: Product Specification PO.doc, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Proforma40773100 1507328765.jar, Detection: malicious, Browse Filename: sjfCpLkZK.jar, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: cenovnik.jar, Detection: malicious, Browse Filename: vAv2DueP9C.jar, Detection: malicious, Browse Filename: zbQfs1N7S.jar, Detection: malicious, Browse Filename: bad.jar, Detection: malicious, Browse Filename: wOwiK07Mv.jar, Detection: malicious, Browse Filename: 011292018.jar, Detection: malicious, Browse Filename: tiwit.jar, Detection: malicious, Browse Filename: 49Order List.exe, Detection: malicious, Browse Filename: 71DXX.exeQSQ.exe, Detection: malicious, Browse Filename: Swift copy 27.02.18_pdf.jar, Detection: malicious, Browse Filename: CONT_WX_BAS.jar, Detection: malicious, Browse Filename: 5Hzr1MXNCp.jar, Detection: malicious, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\JavaAccessBridge.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	127552
Entropy (8bit):	6.413147752142186
Encrypted:	false
MD5:	EE08371113351E3C57E6A6AF2AEFC898
SHA1:	54021050ECDD16C309B3C5EF4CE87175D86A7316
SHA-256:	395325970EF0FA1AADCD0BF072A90D28990FB31DD29D70FF8FDA31A7974DE1FB
SHA-512:	A03D9E62337470C5CE8EBB1D02B7B01F4587A21EE6512FDC282A80A7E9804854E9FAA2FB253DECD3556D8614D25492AE7FE238475DD36DC2815344FF8A794E79
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
Joe Sandbox View:	Filename: Ship_DocsXXXBLX384_pdf_.jar, Detection: malicious, Browse Filename: Tax Invoice.jar, Detection: malicious, Browse Filename: 0.628554001502139784.jar, Detection: malicious, Browse Filename: Product Specification PO.doc, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Proforma40773100 1507328765.jar, Detection: malicious, Browse Filename: sjfCpLkZK.jar, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: cenovnik.jar, Detection: malicious, Browse Filename: vAv2DueP9C.jar, Detection: malicious, Browse Filename: zbQfs1N7S.jar, Detection: malicious, Browse Filename: bad.jar, Detection: malicious, Browse Filename: wOwiK07Mv.jar, Detection: malicious, Browse Filename: 011292018.jar, Detection: malicious, Browse Filename: tiwit.jar, Detection: malicious, Browse Filename: 49Order List.exe, Detection: malicious, Browse Filename: 71DXX.exeQSQ.exe, Detection: malicious, Browse Filename: Swift copy 27.02.18_pdf.jar, Detection: malicious, Browse Filename: CONT_WX_BAS.jar, Detection: malicious, Browse Filename: 5Hzr1MXNCp.jar, Detection: malicious, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\WindowsAccessBridge.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	95808
Entropy (8bit):	6.488891397675493
Encrypted:	false
MD5:	9867B47DE013C131DEABC5A5CE73876E
SHA1:	C0F0AE34A594AE4903E4DA2889BCB30CDCA60DA9
SHA-256:	B2C96DF9961DCCE06BB40185ADE8DA3CC5FBD839DCE92EB0B38CD0D21ABE2D9B
SHA-512:	C94911122DD66A2319A59E9252423226FFAF9D3D385B0B2F3A89575C06ED40C21A4B426579BEB3A88BC9C962EC4D0A63182DD16DED6E4EC8A8F2CFC0EB4D6AB2
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse
Joe Sandbox View:	Filename: Ship_DocsXXXBLX384_pdf_.jar, Detection: malicious, Browse Filename: Tax Invoice.jar, Detection: malicious, Browse Filename: 0.628554001502139784.jar, Detection: malicious, Browse Filename: Product Specification PO.doc, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: Proforma40773100 1507328765.jar, Detection: malicious, Browse Filename: sjfCpLkZK.jar, Detection: malicious, Browse Filename: , Detection: malicious, Browse Filename: cenovnik.jar, Detection: malicious, Browse Filename: vAv2DueP9C.jar, Detection: malicious, Browse Filename: zbQfs1N7S.jar, Detection: malicious, Browse Filename: bad.jar, Detection: malicious, Browse Filename: wOwiK07Mv.jar, Detection: malicious, Browse Filename: 011292018.jar, Detection: malicious, Browse Filename: tiwit.jar, Detection: malicious, Browse Filename: 71DXX.exeQSQ.exe, Detection: malicious, Browse Filename: Swift copy 27.02.18_pdf.jar, Detection: malicious, Browse Filename: CONT_WX_BAS.jar, Detection: malicious, Browse Filename: 5Hzr1MXNCp.jar, Detection: malicious, Browse Filename: Scan0001385.jar, Detection: malicious, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\awt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	1182272
Entropy (8bit):	6.631868285342272
Encrypted:	false
MD5:	0304579370E3EF9F287C58089FF07EF3
SHA1:	88EE48B36422A9269C469C36B801932BD6906BF5
SHA-256:	4C4BF1FDE6365A4FC265257BFA61CE3300CD0C5C1E904C40C0065EE8E97F39C4
SHA-512:	CC585EE0D6D2243C481B98B5D9B48807FE149DCB9B28B9375239F14B38DE394D2FEC0429F523CCCD88D971288F8BE692CEAA0DB081DDE36DACD8FB49A6EF9E30
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\bci.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	15424
Entropy (8bit):	6.37998881692665
Encrypted:	false
MD5:	E32EFDF4BDAE1464F979912F1404C5BD
SHA1:	08080E4851E88B83995B864911628F6FDC6311D2
SHA-256:	3A01155AAF37F23ED8EA04F25D72EBA98AA7415DEDF9D40BE378F28D4BEE63CD
SHA-512:	8ED83FFCF5AEBEA7D730FF4D4B765301465F212D0FB0B1834C928E29B93E875573F02B12E3878764F99DE32B0F9C5661B6E5B295B4378887081BC0F5968CC04A
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\client\Xusage.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1423
Entropy (8bit):	4.176285626070562
Encrypted:	false
MD5:	B3174769A9E9E654812315468AE9C5FA
SHA1:	238B369DFC7EB8F0DC6A85CDD080ED4B78388CA8
SHA-256:	37CF4E6CDC4357CEBB0EC8108D5CB0AD42611F675B926C819AE03B74CE990A08
SHA-512:	0815CA93C8CF762468DE668AD7F0EB0BDD3802DCAA42D55F2FB57A4AE23D9B9E2FE148898A28FE22C846A4FCDF1EE5190E74BCDABF206F73DA2DE644EA62A5D3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\client\classes.jsa
Process:	C:\Windows\System32\xcopy.exe
File Type:	data
Size (bytes):	12713984
Entropy (8bit):	5.158674134150041
Encrypted:	false
MD5:	1141D3988B18B4B48049CD465CD6CFFA
SHA1:	4F480BA8672A677BCBDDB132449631325FA20845
SHA-256:	20A36F98B41698731AD5EB6318D303000976AA35EF67EEAFD16AB335710A517C
SHA-512:	34B05CF0546ECA76040476F9ADA5664A73200D0160C0FCC1689FFA2B36B52AE4BE4D484726CDD232FBEC31EDCA821A4AED8E50408048612EC5373A0279C83891
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\client\jvm.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	3866176
Entropy (8bit):	6.855835733402667
Encrypted:	false
MD5:	57A10918A05BEF3961ACF79867085723
SHA1:	3A4FC413D5A32D494E3CCFB2B8F3DCF96BB90808
SHA-256:	B7D99D8FDAA0FAD10FAF4C5AA6EEB1FC84DF4D1933EA537480829A6ABDE43849
SHA-512:	53609EFC64A6B43EE50F9EF404545F50431A38441C10B0DABA6AA9324074A84671DD52B66790C7EEE22B33FDDB986B28CEDAE5C1A58B5F30FFA0B2B5AF893C4C
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\dcpr.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	142912
Entropy (8bit):	7.350677345698727
Encrypted:	false
MD5:	5C4AB5C8D9FC9D96ED1420CF5FFECFE4
SHA1:	3B68B2C1EE2FB2E973B4CAA0DEE7F7DBF3882133
SHA-256:	5CE247418D8D454FFC0DF04EDC50A1A65A4CC3D5969CE66DB55169EEC85877BA
SHA-512:	F6689A26AE1E57CBEEF84CBE3FE1FBD812FC474FAD6BA5E8D4DFE0E8C99BDC8AF7CB2084961D93CFAF928090EA969E34ED373F1CE8BFA5593043AD12C7CF020B
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\decora_sse.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	64064
Entropy (8bit):	6.339283328310836
Encrypted:	false
MD5:	3080ABA90CFF63D5C5A33C854DCE27F3
SHA1:	D6E5E7A045A187EDEC8AA6E689010C2DDC73F608
SHA-256:	7E1ED9E399997650E8C10EB60094BFB659942BDE0764DA19AB041CE62083115F
SHA-512:	55FF028A571F5382801D70E3020E03C09F4115DA1F47E2AA2E47455EE02823A2BD589C7C5AD06EABDFCC519DCB19B3698DA79AB22AB844F000AD3DEBA98790A2
Malicious:	true
Antivirus:	Antivirus: virustotal, Detection: 0%, Browse Antivirus: metadefender, Detection: 0%, Browse

C:\Users\user\AppData\Roaming\Oracle\bin\deploy.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	454208
Entropy (8bit):	6.51698680676728
Encrypted:	false
MD5:	2CFE0B1492EB6FEBBE2F1D4E09B4872F
SHA1:	1C780B589B2D71D6D0B2B5BF0C2E440A90A00A7D
SHA-256:	542869B28FF7067B128F35A3F71A17F85D59687C50044182EC5C31A016F38706
SHA-512:	A90D4C4DDE4A464A2CAB2C5C5B63C553C5C7FEE6A4415F17685C41357130FCA8E248D81FD0530CACFDD02F9D9CC9D1F996D5D1F1298747E4B20DB3AF4E7E034E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dt_shmem.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	25152
Entropy (8bit):	6.6260515725325355
Encrypted:	false
MD5:	8CE4069A52BC41A4E834A8E38753FA09
SHA1:	5C0FF25904840B5D067B23B47627424C0987C0D2
SHA-256:	625CFB08B5B909BBF0565398D8744B974FE4143274750E6F2CD4BF3C1580C935
SHA-512:	2BD484384DDDD55FEE6789F4EF086EF7F8AD4E7D9956C207B6587E24BA1AB665AA19A8C094A12CF48A71F79BB84A15C5EAD859EE94FF47F1F9AD4B7B84CEC10B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dt_socket.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	21568
Entropy (8bit):	6.60119196764975
Encrypted:	false
MD5:	D322D0D676132063FE34A84FAD8C08FE
SHA1:	458DBF55127E52AD7B76591CB50771CBF0D7C58B
SHA-256:	034423F51F7D5A39992D3262576BE208D516D3C515757A70915053AAEE7CB552
SHA-512:	56C892B17B30CACC8E1D5CF09B5E522826A1B443691E75894C13AB94C75F88A4B26EA392B2EC5A99BFF3EDBD4F8DC518B29E10F7BBEA8697F8AD4A127B025B2F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\deployJava1.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	826944
Entropy (8bit):	6.023278804823511
Encrypted:	false
MD5:	C0A01372F7A1D107EE2641779F669AAD
SHA1:	8C770048CF9B517634943BBA66C4A1E4DE9CD6B4
SHA-256:	E596EC4273F111D8D6647568FEB3706782509F8296EE04A85C75748980A656F1
SHA-512:	64D25B8CB45B7367FC4BFD8F4D6567FB0B8D25D35752285D18CA91D097828266B13D75F568D62E4686C9FAF9850A45E37C29B9816BFF5A12BBD85B6BB08F4371
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\dtplugin\npdeployJava1.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	908864
Entropy (8bit):	6.159242151659468
Encrypted:	false
MD5:	8EE9808AED44873E6C2F578196A53715
SHA1:	D6428D7878272E3DF67C70C511E1A2284DD863FF
SHA-256:	4C503B185348C669BD20E5852C5AD203AB6B905F97FB5A7A3474C7310545748B
SHA-512:	27D27FC942C220CAE003A917F5769E6B59B87F7E535AD1280605B1705A2FBE34DBEDFF4A2875E6E599067489C06EDB284E41CADDC6912C1B8D459751A93458BF
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\eula.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	109120
Entropy (8bit):	5.986074013591891
Encrypted:	false
MD5:	6E2AECD1691420507DA90BED5B849A53
SHA1:	48E88361B85C61D36EC0FE8564287A5AC4F75C8C
SHA-256:	893CE6B2475F12EBCE25711B51D4ED8045BCB0813567080346167F9AA8F71414
SHA-512:	D17F7D8F0771FC74B4BDFEF9E5736745C34DF413CF0C09632546CAE7AB82438FFC236306CE21F583A6F20FDE2B30E602DE444016DAB0DFE660E4E000C9368B76
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\fontmanager.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	223296
Entropy (8bit):	6.506726069952414
Encrypted:	false
MD5:	25CCA16EE39023C5A7DC09C321A5FCF5
SHA1:	FF755F58244E0753D737C9325B9F42FE59CD9B65
SHA-256:	82C2757D3210BFE13677A0A286E4BB926DE25385E5F325B49338D5BD09C821C1
SHA-512:	2736F2F1F345CD1CFEE241A212DCB879D53AFA65596E05ABEEC6638ECEB6C42DFDA6A2F92AC71A4ABF6D304AFBE85E41916A3B01AED5B73D1415DE1D8FD70725
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\fxplugins.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	152640
Entropy (8bit):	6.5431595288476
Encrypted:	false
MD5:	CDF176E141AD890AA8D8A269CAC60BA3
SHA1:	2C339BFFDA4E07FE3DC4D0460169831FD5F5FBAA
SHA-256:	93ADB78853E427471E48AEFAB4A9103C6AC3B7D233931C8866933D1EECAD8519
SHA-512:	3F5029A52DAE00E3D4FE696155AAA17308377D848A17946885CEB34F33FC3D7E455D86FF0F3F8FBB5E8D44F3AA2761836EAAAB22D700467C38E8B4294359504C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\glass.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	200768
Entropy (8bit):	6.431604183486996
Encrypted:	false
MD5:	77BACEC88AC4E3C8D95FF07FF3A2B7BE
SHA1:	256C6640B9C44154071C029C6EEF285FCDB2F66C
SHA-256:	9F91A2E7BE21317DA8D61D80691FF185546797E7435C35CD348F7A97845A93BD
SHA-512:	AE19C912D287902462DF8DA4C31873A5571BE8EC40C52AF66812E298F9D249809BF0B0FFD0DD517BB0A9AA1EA1B9F25C6B0FB76F692134C5776A57757367B64B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\glib-lite.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	400960
Entropy (8bit):	6.166649076853756
Encrypted:	false
MD5:	F5A84D9F582379275CFDFE409644AB21
SHA1:	945176DC56DD147ABBB77EF54080A8FC47AA658E
SHA-256:	B20F2376F99CB9C36E1CC3F88DB91CF7ED7449BD092F4FF982FC6BF3C691676C
SHA-512:	70B53088A2FE2B2F01AFABB800A6D5912705F9116B03870C91DC9CD1CF96B092B22713EDCA3C94696710094FB21D08D75F7A2D4ED998E636BD07C375732972E0
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\gstreamer-lite.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	514624
Entropy (8bit):	6.803326727806044
Encrypted:	false
MD5:	0D8ECAE61AAFB195F02134CD2E618B59
SHA1:	67A037AF6116B858B4CFD3AC1F141861F6FFCB3C
SHA-256:	87C4B4556AC731C37EC23518820B25EE065252DDCBE351B37BB020A470DE47F4
SHA-512:	70D320428BE43598A0812690951DE0F312A97A6332F6F0081CE675EA6D0B4DA1A3523ED43DFC8F288FD262A9322BA10B3DB08E8924B11BFC1BD89DDB3BEDFC3A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\hprof.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	132160
Entropy (8bit):	6.723153703478439
Encrypted:	false
MD5:	7B105B9E5DBE91945F95A0AD1708B205
SHA1:	BF535181CC646D19F7357937E404266BEF5D91D0
SHA-256:	2773D91DF28EFE4FDF6462653298FE2647622AD25837987FC86C02E34FBB1D2D
SHA-512:	4E8F4D0316A0F6308FCEF846B73FFA98FF67D0527498F90861B7C466166E7F564DD0D85E440F82884447ACE68600EF1D22B0727B8C3F722A3B937BFCD85CE86D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\instrument.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	115776
Entropy (8bit):	6.787276209523372
Encrypted:	false
MD5:	281E338EEFD2121C835C572063F2942C
SHA1:	58E1326283E4C7202709CFBBA2F6247DA25C20A9
SHA-256:	CC51833EF9C42D096090B6F7CEB88B91829DC9D0603ECB963042B2F6F9ED3B3C
SHA-512:	AFFB6E15756A3A09A0DF0FE584BEBB16A96A5F7967A57B422EC093D9D96C043F409A317EFBE197C360EF06FD71005F436046C6345D434B342371F42C50910F8A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\j2pcsc.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	16448
Entropy (8bit):	6.486828513892576
Encrypted:	false
MD5:	8E2E4E995DF27609BEFB14180163F18D
SHA1:	1A048A6BC0B7CDF5A2376D748D3E1B7ACDBEC7A0
SHA-256:	7DACAFF6289A9887E4908915497F3A412CBC229C92A3E76691EBB3CEBA5A69DA
SHA-512:	72BBACD85EC3F0766A17F844BF890E57E40B32675CC08CA4BAA3D559FA81C6846C7235F592FB6006675598638B05AE3671F40369406B67E3957C518449A80C80
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\j2pkcs11.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	51264
Entropy (8bit):	6.579030329626856
Encrypted:	false
MD5:	D6026C2B6A839DD03688404627DCA20B
SHA1:	CDE737D8E169FDE876C280DA9DD78500F840BC5D
SHA-256:	127A152EA4F71BF2862E39E90FF98A6FAF057AF8A845A75680F80202ADF91210
SHA-512:	0376A02FE84680E3E5160036288EC92BFBC82AEE8975642721DC5C2A035B1A282AAC7BDF2EF76A293A27631E269C62991CAC6E12C092FDAC6062301D81FE4B88
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jaas_nt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	19520
Entropy (8bit):	6.454041821166387
Encrypted:	false
MD5:	BB3B769F9AEF7B70F575899F44FA934F
SHA1:	FBABBC8E506F3401FDB45A55A2F84C6BA8E7AC94
SHA-256:	2F32FF27565E4FD290E75CB76B24566358BB3489BF6CAB69D5B9D5FC883BF7A0
SHA-512:	0474908858F842DA4CA3E7E0A7963FD7B658BEA47BE4AA58DF66F972F24C3391123911EC22FA908CAC67FA900D505CFFD87835D0D042133A0FD81256E708A0FB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jabswitch.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	30784
Entropy (8bit):	6.412006519570213
Encrypted:	false
MD5:	AF5D1B2BE539A2D210A598E693A45579
SHA1:	8F753CC6C1474516DE71C7CC82230D7CBE02A0BA
SHA-256:	F1E12F28C9DD7F8FFE2B94B6D0C8F2043494EC0A71FC0A1BA239573DE97A3427
SHA-512:	53E69BE640F57B75DBDFE18E097B00DDF6C007E73986D96448D9E0B96FF06A38463E5A3CD87E0AF5F6C8CC49EEC2184B9EF7883CF14C2152B6BD21B644ACDACF
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\java-rmi.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.462003296325281
Encrypted:	false
MD5:	690C4C406DA3043653F43B5E0ECC019C
SHA1:	F8F5E5E7362461223676896472CA159124FB2065
SHA-256:	48AA7ABED502980607600F0D3F4F204FE11EF39DB3FFC0D37D81E13CEA54C5AA
SHA-512:	8C01F2B9040B13C957DE38BD9AB2662B50CF62F31E1E06D7E186F89933600B59562292FC06B8C5155F2E06DDEB9FDCA415B431A2AC2E711937EED7F75C7F2BA0
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\java.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	127040
Entropy (8bit):	6.806845399394011
Encrypted:	false
MD5:	D4A44B1965428805885AC50623F54340
SHA1:	5FE1B0B783558DBA430193D17ED4BFFEFF0033CB
SHA-256:	8F519A123E54D0CA719B221562E326614FAAC1864E1F911DCBD60A415E89E05F
SHA-512:	38117BB4C063058CD7C3B5D76F8B75F2BF1DAD04F58F3A4A5797E57B0A8D09878141EC6C1B8ECF02BAE236227528FB0A30570FF8288C351290A99B075B665CC4
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\java.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	191040
Entropy (8bit):	6.7499064995642835
Encrypted:	false
MD5:	02E26F23B34336225FB5E33DB36BF08C
SHA1:	5B52DF44ADAEDEF8DF26A2C1CE0A700D8BE84FC5
SHA-256:	74E3A20C7CE578D6E8557332921FC19445278092266FE8BCFABD3F5E1629ED4E
SHA-512:	396BD293563699F882CD36C8DEDCC669B07AFFDD7280ABC4E14E38DDE93D86D84565EC15621F570998A159CA52C6C63E07A8C6829AD2526DC298B6E0A3E3F5B1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\java_crw_demo.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	23616
Entropy (8bit):	6.619933086072398
Encrypted:	false
MD5:	85A34845252FB6F6D93862CA04E68DB3
SHA1:	C24E2186CB7C3419822576F07EB06EB7B2B6CC82
SHA-256:	1AE3BBFBE8A818B8EF5B9F686FAA1098F47022FFA9570502F9F9F9AE4EE7C9E2
SHA-512:	5EECE50EE4CDE9ED25700EF6E12D69AB712EEE50DA0FC896F48D68D434BD97DDD1E65A660C2A5B61B28E354FEC9BF1D31FC558B944EF4C5532C55279C08ABF2F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.cpl
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	160256
Entropy (8bit):	6.482822492204265
Encrypted:	false
MD5:	ECC258D267832147756C992E0317B477
SHA1:	4D70E4DB47F9D6329AC463C8C32DBD81CE6F44AF
SHA-256:	AE5AA1C0F4C8537EA1256498BAB2CEE76A9FF96581CA9466046D139A10608094
SHA-512:	E3F7F92FC626CF6054D2B1A6069013D194BB27C5CCE42C44040DDFD684D3A077BE6320E35102442F2BBA7E76FD732175FFB77252EA8B21BAC286F6EE86D27122
Malicious:	true

C:\Users\user\AppData\Roaming\Oracle\bin\javacpl.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	71232
Entropy (8bit):	6.3238633737549925
Encrypted:	false
MD5:	02675987DB21CE7E022FBA4A25F5ACBF
SHA1:	330B2DC60592A8EF98505F3BB9842DA72639C37A
SHA-256:	A232D7829CE3494D447C8FF338F4CAA4282B8658272DCD87B71C64609B7F0C3B
SHA-512:	9A1A13D0041A5AC44654931024A3B6B83B5D25AF1AA912BC78ED5E96413870F8E2C83F76D0A20EBFDE040EBF84E9DD674E718163C1CD77763E0BC2C3B947E434
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	57408
Entropy (8bit):	6.672223965506744
Encrypted:	false
MD5:	DD5AB5B8D417D25BD53DC56E57B1FA7A
SHA1:	E3FFD5566386CB77841FE6E9A8AAFBF3A1D65763
SHA-256:	5BF2AD6AA41D4B2377101FF6923BF1AF3251A0A3679E85D91CA19CFEE3729BB2
SHA-512:	15DD88281F1B5242F027107297F509B1AA07F0DEF139A2D9EA821D51BA630D329A5A478CD9230AB0AA1635B3BF471AAB02CA0E881F142A49859F56ED8DB65D7E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javafx_font_t2k.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	446528
Entropy (8bit):	6.602764367577674
Encrypted:	false
MD5:	13BBFC8DB65E08D4A0C01AAD663D548E
SHA1:	2B69D25934E2E2A54C91BAE38A20965D44D1BD18
SHA-256:	575A9EA499B28E0C8BDE0CF02514B81B337CD5B96E4A89724E5D60542556DABE
SHA-512:	2ACA80DBFAEA3529A50E5CDEF345436C523621B0BFC0274D0BF43AE650061406887F918696A669204B918971E70DCF47C2EA1A8F67DA062493A06FD27DB1FBF3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javafx_iio.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	126016
Entropy (8bit):	6.609255570053583
Encrypted:	false
MD5:	4426045C35A3FABE304041EC992A634F
SHA1:	5AE4FA29E92642D344207D4FE86C85EEC1B2A15A
SHA-256:	E9C0BC532B78549C384FD5637738F4AE04C041CDEB76DD14DD776D5307CB45A2
SHA-512:	E580B44AB5661DBE13BC3DB78083DB2ED999CE3D7ADB340613C687C94C66519BDEAFCBBFCBB30198C7D2E9B6868B61E09CFFDCD153BD597B610A7DCA2BDA53D6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javaw.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	191552
Entropy (8bit):	6.74460077410831
Encrypted:	false
MD5:	F233D34C98F6BB32BB3B3CE7E740EB84
SHA1:	0B2CA11540B830AE37F4125C9387F8C18C8F86AF
SHA-256:	2206014DE326CF3151BCEBCFA89BD380C06339680989CD85F3791E81424B27EC
SHA-512:	D050562B7212ADDAF042ECDDB145AA2D598B48C7A7E848F6809EF1612C63F3EE03F3B37FBFDFF318165249D74CB68DD3C6F76649455EB8E3FA8D6A2A6CA646D8
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\javaws.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	270912
Entropy (8bit):	6.418676549554313
Encrypted:	false
MD5:	55561AC10D64539FA634E4FCB14D83DF
SHA1:	5C8885EAB1B7F9A63BDADC309F0E07957D259AA5
SHA-256:	CA681963C7EDFBD7FF84D6A3FD6325C291CD5BF2D953D388065D78A3CDB08BAC
SHA-512:	0957EE9480B62681C5F709A4F080DD2F9E633EA1CD2BE7B5A4AADD9F628738432927BD70BD7C9E2A5A0BE793948F4BD924EA098D75C81DF017DB293E3FA6C925
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jawt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	13888
Entropy (8bit):	6.2751038934745065
Encrypted:	false
MD5:	0820D1B8828A57A20C1F81654F7D5FD3
SHA1:	67BAA79F87A068E78C4424335CA2C1DBCEEC60C7
SHA-256:	563D0222814B4DA7F647D9F9BC7E0F076ADB76518D5678442A546C736ECDD639
SHA-512:	9FEAB80F9A753D29A269AF22AB6FD457E3469292B6DCC0FD1C3A8F566CBEE75AFC5A516C0D9D5325DF707E7837C91FB526F8A8A13BAA8ACD66BD0727AF20B1FA
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jdwp.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	164416
Entropy (8bit):	6.770236513857503
Encrypted:	false
MD5:	4612C44E5DFF2F46220B33FA385DB681
SHA1:	7FCD70F589D1B1DAC2A85D105C521578688F426B
SHA-256:	A8F53E3FFFE097EAA3737E8FD67AB8C113BF588AF4C67CEC82CE2DF7B1AD03F5
SHA-512:	BD6117C1234377824D65615D63FE96BC79709B54BF65C4B9BD9C5F1BEC878A33277C5C1FECFBC84D2496CF9776B4650278A628E01A6815876147D8BF42A9C7C7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jfr.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	22592
Entropy (8bit):	6.6179891152565515
Encrypted:	false
MD5:	06F8890A926E2A27CEA332CB2AFAEB4D
SHA1:	BA71200957901BE2B3CF66EB98E0C44B3B0F7C4E
SHA-256:	97F457160B38194D58D1F4ED221250196B0F8B00A45CDF916A5F684D97977D77
SHA-512:	2F8093405FA8A04A4D1ADF1BB4EAA7591B3A8FA68B76DCBF5E61D790F5CE6D7782B1CFB2AF4DC2D3B655FC945EF218D4F1D541EFA95D3579A6A3357558A345EE
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jfxmedia.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	115264
Entropy (8bit):	6.587627783232986
Encrypted:	false
MD5:	20898BCAB8A90CD05CFA4ECC9EE87F20
SHA1:	F1D947F7DF7A03937ADE67116C7EA59D5C863F85
SHA-256:	8CBF394609F33E4849F80FA84E188BDEA989ECF2F6AE4FB31ED7DA8EF766109A
SHA-512:	D7CF87663B26E90D1D6A1F7D4E70F5EF10EE8944CB70E65C7EE24AF707AECD0F0A557B5EE36CDA57D0081741D01A5C20036FFA8B01C6149D07CCC2F720CA8090
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jfxwebkit.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (console) Intel 80386, for MS Windows
Size (bytes):	35288640
Entropy (8bit):	6.484770382051146
Encrypted:	false
MD5:	2F887E137FFDAE75E05FFC8493D9E9A9
SHA1:	48F00FFE87C415EF199C67E846EA795AD6884690
SHA-256:	8DCC729BF67F45F3263BF8F0CED788C70964F92804F722DC0FD9424480B80E80
SHA-512:	D7CF01FD72BC28CB0B3952AB81DFC7F54CF0E5C5C7A9325C1FFE3B93576A0C1E6423AD8FAEFD9EB00E4978B2AE700ED30FB24925B76F3DDEE9894F88416B4519
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jjs.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.47512527298272
Encrypted:	false
MD5:	CAB86D9777A5BAE24260BADA7BFD7734
SHA1:	4DA8E5C6F6D471DFB597A0CB39D1185B4B331B46
SHA-256:	A520BD930878358351E397E9C79875D4372777D4D98A3578E6A4F57D2E7989D6
SHA-512:	8607ABAA8C519CB93CC26969FF83C87E6256FF41A0D2561FB595A2FB0D4FC7123D1063209F667DA67DBB5BF099502A1D2C0E3FDB714C3C7B85AF6F0F05B9EDB8
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jli.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	158784
Entropy (8bit):	6.813969953702622
Encrypted:	false
MD5:	A4BF434F81D124550AC1534074619860
SHA1:	EEBCFA536EB592F33A1F0CE637D171D8BC5ED24A
SHA-256:	8D2980EDAB1C9D141E0BF56E86260A8CE166231526138F1B2A6D54646DE1F641
SHA-512:	8D437A0085EE97EE2DFD6D690DBE37EA43869DD396EB7DAC56951282B0327BBDF433032F6B3C0CF1CFC024B49BB25810D0D5556017EDB4BFD496E2D3CD11E8D5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jp2iexp.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	207936
Entropy (8bit):	6.6342296942822365
Encrypted:	false
MD5:	76092ED75EF7537C980F4061DA4EF526
SHA1:	F345654DCD738505F7B8CA36C4B7B4B7F53AEC6D
SHA-256:	6BDD0121FF4FA58DC8BFF919498D1ADA72D280BE12DDC326F3FD4ECA65DAE3B7
SHA-512:	4CCBEE9DFF50785BF467247C9C3CD2CF0A1883DADEE161114498F4025C772724CBAAD5071A6B6B464DFF8AFF9B650C4DEB6B6E36E35F0B1CE47AEBA1EFC670D7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jp2launcher.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	83520
Entropy (8bit):	6.593510872214992
Encrypted:	false
MD5:	D177BE7DDDEFE690AB25337A61D782E8
SHA1:	A93DD5BC6F27512C01A9A12B4130C3078F6EDBA6
SHA-256:	243A92432FBEEB4F1FD13B21F9176A144A3ED23786B639CF32B84D4C3F5E6D68
SHA-512:	CBBC64EDF57372A8AC7B493D27ABEB71D5C1F58C1E5F013E3C59DAA4672912A1C3A944375A9A1B1D325168A98E987EEE0D603B51694CE3D872EB68C08986D068
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jp2native.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	19008
Entropy (8bit):	6.369794628062459
Encrypted:	false
MD5:	553F82918D23FB2EACFD0651146EE0FB
SHA1:	98D9E48E43AD563DA56BFD44ABE542FFCA1A8944
SHA-256:	8A4FC5083E36199E48EBAC4C9F4C78F4D7A1F10ABD9C6EC0D860FA7CA87FC388
SHA-512:	7330370FD4E300A9C904381306E3569323FC1E8F89914DA41D365E3007233923B33348E123F7DA7454A1BB9AD173541A061EE18C6D0794D5CCD30EA86CF4A5E5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jp2ssv.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	187968
Entropy (8bit):	6.591867611540658
Encrypted:	false
MD5:	F5D5DB54AA0759BD44483BE7D73F2E20
SHA1:	095B5AABCC1FB090DE76B0E01ABDC5D52E4089F6
SHA-256:	C3BC60DF5A15D2734E9A20264F779593629616101343F9CC57C0BF7C6F070E86
SHA-512:	5D1601C186BBD38E12A658DA2C9BF2FCA926D7DEEFE308784FFED433DAD723383859F0E597AB3B4CFB65AA98056E9D35DF581029DDCBBD900F0ABB4932CB4A8D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jpeg.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	146496
Entropy (8bit):	6.688297685591422
Encrypted:	false
MD5:	AB07F6E6C78711E8BAD3F9CA0D270B77
SHA1:	4FBA643A16D277AA8F28F3B2B6225D49D095C25C
SHA-256:	ABBE40F1DA7AB2758767BFCA9A9F5A34B63BFA2E27CCAD0F909C0CB2ED8B051D
SHA-512:	32A294AEFF0A8D0203B770B0EA2BB57E33091E3D35E4C94B5C8D00F41802A5D01D31CE67418E30ACF80FD782EAAC073A766C9F56D164303CB499D1EC34872E29
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jsdt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	16448
Entropy (8bit):	6.486079089888067
Encrypted:	false
MD5:	0C3D8C106BCF1A49B8C3C2FF8DFD08BC
SHA1:	243EDE5B6F736D3B07CF393B4574795A193C1F35
SHA-256:	35AFB528499149CD7FE49EBCF69AC497A7D07BC121B298BEDBF134AD1D7A043B
SHA-512:	991D45C758AF3B0C3826F4C16EF3AB9B648B17BB804FC44B2FEAA20DCEE0088B67BF76C24437F4FBBAE22D6FFC937FA75BF1F3B696D3C2C0B10294E3BE92D440
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jsound.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	30784
Entropy (8bit):	6.612152278236012
Encrypted:	false
MD5:	A9DCF9FE42642250F6E067A607D060E7
SHA1:	E92A4F3A9D57F73B015DFACE57D9EA3BC45FD374
SHA-256:	54A194738714E2E4A50FC94A14860FBD398701EEE1286E46E4FADA63B2838575
SHA-512:	FFFA479AC136B0CF026DC0EDC66B33A93C3A528C3BE6D8411827E94AC7400B8C1DFDA4E115ECBE5C72900DA1652CAECC88DF1FFC10708B61DD0B93D26A51B55A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\jsoundds.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	27712
Entropy (8bit):	6.624029816165256
Encrypted:	false
MD5:	DC8A963DB5C89E2954AD966310BD4755
SHA1:	A9D387E5BF618AB5723FE1BA29CCE02DC975EB0D
SHA-256:	E29E73E0D8B40C04F4F0E5E6B90F8E1141FC46754CA75F53163CD7B84E1BE876
SHA-512:	F085540570A47469AE6ECE9F7EEAA30490846A1052F9042989C330ACA696015E847C9655EAC60F4FC72F7D1D279CB816616C15100EAACD2DFC01EA9A7C529A16
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\kcms.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	178240
Entropy (8bit):	6.802025101537247
Encrypted:	false
MD5:	C9E5CBCDFB71FEAF43A238F7F7EC7A7E
SHA1:	C0BFD007FB988AF2F607A0D2F6C0A857A16AB41F
SHA-256:	B21C5590113B1E32ACA24F54A76846ED37654B10B3D74259F113C6BB22AFB339
SHA-512:	52B720AC2FC9676BD0C02D6A4BC79DB81465E03B6562B9AC1838E62156DF93C653FCA0D51CA93E4BDF691EBB0F87F923D9A3968075A82B038EFA8374682F8524
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\keytool.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.477147889403365
Encrypted:	false
MD5:	1367A5A47F7B8544CC10AE598B54848D
SHA1:	6F2C53644FA3D9233142F8676A89614C63B39C0C
SHA-256:	D4002E99436B8D80150125D48C07E3C3999B148FC67AED4B07F522A1DF57E60F
SHA-512:	6B1BCF0303581BB278DCD66977548B1DCE03D7B3A007A46D1B76D9383EC2B2F5067221F50CD3B2696B4C402BC9F2E2FDAE758866E72A90E0221A95C1F033CE6C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\kinit.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.4805870882577885
Encrypted:	false
MD5:	33D1B36F045A4FB4684443862384AFE1
SHA1:	A486191259DFB9DD4FB1DCA90F84227405901FFE
SHA-256:	2C9EB226D9703526A2C8F0AFEA6809EE350EB1329A4C79578C4F1F43500BFC67
SHA-512:	13EF2472F189EEF23E51A8A6A264DD8E60997F91F8D2A284D111FD0168FAAE36A0171DAAB689AD6D7E60B980A096865800302FE89D16109E8F85BE64993AE499
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\klist.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.476218431007862
Encrypted:	false
MD5:	848108639577F8A9E92D65BD8DAD8002
SHA1:	1EB9369A7A4429915DFA0D696C73D36B5D062F05
SHA-256:	0204BE3C3233982C4E153E591FC6518E90FE175D24A5ECD169E1B023CD30CDBF
SHA-512:	611CB8E5ED46E87D3511C52A79145E4D86337273F9FC27705FB14800B654BEDC3E841F5B05598D296335AED0A1B5E3BE50A0C3BDC3B744F9F1EF2992A61319A9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\ktab.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.476944979866337
Encrypted:	false
MD5:	36427ED304FF33EA65013D62B9EA1A3C
SHA1:	F88E0FC4C736DBF2E1F95540268297AC9E5F565E
SHA-256:	5A033A4DC40AF72297AD5CEE78410C47D7A93EF11D1E586D3FBCA5B8ED1ABF78
SHA-512:	CC46DF64864B66BEB9494CDFFA0EAE0A546AA8C5B4A5B403A1D94C47A3279AF12FD9A730BD5BF0A4EC1737881AD74FD42CD08ABCAE3C6B83979B1F388029584D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\lcms.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	185920
Entropy (8bit):	6.52609674633645
Encrypted:	false
MD5:	AE2D4509685C53670529E2601A617447
SHA1:	BE248E49E3E60CDE3A431A865841A0E53654474D
SHA-256:	05429D52F3C3381196835BBD095AE6891D8CE4F45FF262B1C12CDF154498027A
SHA-512:	F8779EC3640469AD3A6AD069B2D2006718428A4DCC84A4EBD3996A8E020164C264AEF9E31DB92C8B8EF51BD71CFB62AF7240096ACBFC32420F55CE6715511D81
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\management.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	33344
Entropy (8bit):	6.5540410395409445
Encrypted:	false
MD5:	C0B59E928DC2AD32CCC24E01983824E6
SHA1:	62B8050F8E3A15BBD0D0E8C0FF6D223B1E3BBEDA
SHA-256:	0BF2932C78BC8C491C4A40EC5E13C5993CF2299E2CCFFA5A918870A2AA2B21C4
SHA-512:	DED673794254F5A0973C3DC7B4C9B34C46EE57DABB5C4EB7AF66F5BCFD6399D26A343B4F8476B4449EADA422E8CECF022DC4EE07663B023407B5E606347CD218
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\mlib_image.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	574528
Entropy (8bit):	6.5008298698761005
Encrypted:	false
MD5:	C3CF8BC8EE8B0B3274BC44C492EAE175
SHA1:	5B2E36A49A342B2CD969B8BDF0EC220E9254B90C
SHA-256:	0984FA8EAEFF2B7036B4D81865D7360B8831F194387D37DC05CB5C79EEB74530
SHA-512:	6DFAE7B1420183442F43746DC6A15AE6B5241019BDB7050B2F65F05FA26A8CEFE3F1D3C1FA5DE932C96E98E84FD626698645DAD635BD87FF7F43804A91656921
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\msvcp120.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	455328
Entropy (8bit):	6.698367093574995
Encrypted:	false
MD5:	FD5CABBE52272BD76007B68186EBAF00
SHA1:	EFD1E306C1092C17F6944CC6BF9A1BFAD4D14613
SHA-256:	87C42CA155473E4E71857D03497C8CBC28FA8FF7F2C8D72E8A1F39B71078F608
SHA-512:	1563C8257D85274267089CD4AEAC0884A2A300FF17F84BDB64D567300543AA9CD57101D8408D0077B01A600DDF2E804F7890902C2590AF103D2C53FF03D9E4A5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\msvcr100.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	773968
Entropy (8bit):	6.901569696995592
Encrypted:	false
MD5:	BF38660A9125935658CFA3E53FDC7D65
SHA1:	0B51FB415EC89848F339F8989D323BEA722BFD70
SHA-256:	60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
SHA-512:	25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\msvcr120.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	970912
Entropy (8bit):	6.964973595202952
Encrypted:	false
MD5:	034CCADC1C073E4216E9466B720F9849
SHA1:	F19E9D8317161EDC7D3E963CC0FC46BD5E4A55A1
SHA-256:	86E39B5995AF0E042FCDAA85FE2AEFD7C9DDC7AD65E6327BD5E7058BC3AB615F
SHA-512:	5F11EF92D936669EE834A5CEF5C7D0E7703BF05D03DC4F09B9DCFE048D7D5ADFAAB6A9C7F42E8080A5E9AAD44A35F39F3940D5CCA20623D9CAFE373C635570F7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\net.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	80960
Entropy (8bit):	6.662252106566704
Encrypted:	false
MD5:	66C6483BF25BA52E777A61668AF5B5B0
SHA1:	B77F4E300E3BCF438314C0899BE505433A6A13D7
SHA-256:	9DB02E65B31731890E91C89015AFAF3028F0180E81BEB0587AFC8E25F96A2CFE
SHA-512:	83C4C2077DB23D83AE1B9431383EE59229E312BC8B02C9D41297E2DA86E40CC7333FF0BA99723A4808690249594967E78497911F664264BE502407C53388FCD3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\nio.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	51264
Entropy (8bit):	6.560514577586435
Encrypted:	false
MD5:	86191ACCBC6A7A5E93B9D351D708FD96
SHA1:	AC654A92DC9A2B85F1C977A5DA7C825EA877DB45
SHA-256:	B021F80914922D288E90C1227F23706C56304BC19617CAD161F52DF8B16AC78F
SHA-512:	E0EB667B8D558477B031F16B772BFEEEEC1A378D373EBE098BAACFCDB967E99EBC0FB8F9AA998158A5312583BB587EDD8C03771C00C4BB2175180218BAEFDBA9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\npt.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	17472
Entropy (8bit):	6.391798255817663
Encrypted:	false
MD5:	E32F8E45124C0A34E4AD5EEFD44AC269
SHA1:	FB209477BA5E84507D971470C1FE8C27332AC6B4
SHA-256:	C918D1D4D80195199FD6EC715AEDCE60B9AFCC8BCA9EA9B05374C4A3923E8C13
SHA-512:	5250F325743F7081C2DE80ACCA51F372A0BF2085F6FDBC31C1659BD0270C13ADFEEA218ACF447D6984BD14C93E392E8515AA7DB6D01EB19738AA8D3445445D34
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\orbd.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	16448
Entropy (8bit):	6.382460682584046
Encrypted:	false
MD5:	570589239778B28F9F852CE9C39A6C17
SHA1:	233ADF699B5718E707FB5D8D277A13FAF5F61D18
SHA-256:	94629E27E36545D63F99D0A2F693615D3019CA8698D84F1ACB37AC3231BA90EE
SHA-512:	A619E1ECCDD61DB4F485104472AC98F25996206EF90578FF0EF1A402A641CB2CD761337D5FB165F18430AF23734E4510365BECC238F7BF19979AF22A76400274
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\pack200.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.475316094067641
Encrypted:	false
MD5:	BFF3678F64E6F05FD9EAE34DB6774182
SHA1:	CCF64EF5C016C736F436E626C3D217AC17D9656C
SHA-256:	50840562C60F3AEE500A7DAA3B542ACDF3BDA5FA7DE271DB3A9E041B4012527A
SHA-512:	5D5FA5402A7A55D3A3954479B88E5A2E625129D0E1DBCAF566CF3B6C545B8FA2279609DB217111BBCC9643BFA183C0CE1482DB112AF186CEDC504AB07C681851
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\msvcr100.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	773968
Entropy (8bit):	6.901569696995592
Encrypted:	false
MD5:	BF38660A9125935658CFA3E53FDC7D65
SHA1:	0B51FB415EC89848F339F8989D323BEA722BFD70
SHA-256:	60C06E0FA4449314DA3A0A87C1A9D9577DF99226F943637E06F61188E5862EFA
SHA-512:	25F521FFE25A950D0F1A4DE63B04CB62E2A3B0E72E7405799586913208BF8F8FA52AA34E96A9CC6EE47AFCD41870F3AA0CD8289C53461D1B6E792D19B750C9A1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\plugin2\npjp2.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	172608
Entropy (8bit):	6.375706864548466
Encrypted:	false
MD5:	705BF3208D9C466EA0FC958F6E863190
SHA1:	D4A6164F0D32029060A9FBF3566ABD1D9B0496A2
SHA-256:	CBCDA66917659D9BFABF14AD08870B50B9C06E8B78B0A02779562CB49B13AF81
SHA-512:	40E5EE6BD19003B982EA32B0C3A7DDBB60DA36AE013649EDCC11E4B339F70DF71822155ACB8C28DA889475A9BD97C30BC9CFADE4F9B84AF33D46875ADB08AA47
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\policytool.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.474526479530733
Encrypted:	false
MD5:	1409211DDDFFCD5E1BB30A94E52ECECC
SHA1:	95E417FCCD771A7B2DB28FC7EB58BB9B27E77550
SHA-256:	D138E3768667F3A3FD61A728DE1384333C3E1A984181C7C8D922FBC5426F7CEF
SHA-512:	C93190BCA0CC5CB13A423E0D59B482FC2DB203F0B0EAAC8E0D17AE37FCE328298F2BEB18675793DF47D3AF452570C8A5A97C378056D409D89D18B9A5B7E12270
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\prism_common.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	52800
Entropy (8bit):	6.440512013102939
Encrypted:	false
MD5:	3D9AFCB8CFCA4D0E673E5356EBC6EB88
SHA1:	29A8C52698B4AC9EEA5497857C0C7F9BED8C6F61
SHA-256:	63E426BEB5252B3362753FB8ED2178D11C830B07F9CBBA65389358CBECE8E04B
SHA-512:	12EBED6E2E36AA251E4D4C7E893BE7C3D89946E25DB87D39C70C1EE66815FB5CF14EFC6E5AF0E5FDA726AA7637A8308A965540AA18AAC2D96D26590052C1E945
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\prism_d3d.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	116288
Entropy (8bit):	5.787108722715297
Encrypted:	false
MD5:	CE900EC3179E234181A3B861F62B9AD1
SHA1:	AFD1CF646B52C70C0E37404A568D79FB8127F57A
SHA-256:	0451E057A7A878CF3E66250CBCC934A916011844B05C020541152F816EBD5260
SHA-512:	B84E4D0FDDD9BA5D3E627AA806C37BDBCF694F6AC8DB5AECCAD09AD3F4D45338F71532ACEE8CFF794E34242BBDB256EFD764BBB951257F3410A9CF870DEED4D2
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\prism_sw.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	86592
Entropy (8bit):	6.688334670805164
Encrypted:	false
MD5:	3A7326B142EA84F83F652F379554D92D
SHA1:	97A09DDC9AFC946570F0F7F9E48439BDDF4A738E
SHA-256:	DF72B4ABA4B9DF9A4823240971DCAD9C2AA2F6597ECD5AA24FEAC16B8D03B56C
SHA-512:	2AA44F54DAD8335FE24221ABD8AB2EB09DEDBC5DDDAB07D0D053CD856256BF1CC8E2B864FE3B5219799D799DA5ABAF6EF140A9DD4C00E4702F2F7F1E2DA42762
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\resource.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	14912
Entropy (8bit):	6.388707467858644
Encrypted:	false
MD5:	34478950065CC88D1F755CD3FCC054A1
SHA1:	2F455601812FCDC5FCBFC252958E78A26FB195AB
SHA-256:	B140EB8BBB6289E4E7DA60F39093343DF07B164E7F1E1C56A87278449329FE85
SHA-512:	B7DA79EEB70F2493F3821C9B0B6ECC3CE26D249CB2FF32CF98316F1F0590E421C08FFA8419453843472DE3BF88684DBC00C76146C1CC89E172F242AEA4D52AF8
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\rmid.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.473246106820955
Encrypted:	false
MD5:	AC9F4E46CE4CD4DA855993148ACB9CEE
SHA1:	33A22C8701AB63912D3A7CF5B26705F94BAF6228
SHA-256:	92F9C473720E8CDC882FF992078A47CFFB6554090249EFA10AAC3D4D2D5A63CF
SHA-512:	5792129449917C717D9B856853C0DE98FAA36E3CC56E9C8FA38D1CB13F76E6F928126043577AA49F30C72E55921A45BB63286FCE1DBFA1612E3D698E65277477
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\rmiregistry.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.474740442753843
Encrypted:	false
MD5:	B04F535E96959E17F68A80D2866832C0
SHA1:	1C62C63D19D3261A3F0F06CFF184E7A6C83559CB
SHA-256:	929C96017DFA0833225C1FE531AAE0863A6FBD5232C0D8032F2ECD146F22695E
SHA-512:	C55A610EAAA7AD35B376FC3880607711E8642F7E2DC880A8C2C0A4F00E091F11E8905C4183392FE594E874F138F404EA1050019E44C844D80A9597FEA960F89A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\servertool.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	15936
Entropy (8bit):	6.473498672800834
Encrypted:	false
MD5:	6CBB22C96E6A6398682428537F46D9AA
SHA1:	08C85B0C7C09BC9A5088D1B68A6B8E6F05B72154
SHA-256:	898D17A781B1A0C433EDF9DE1459988477C91C3E8AAB5B6B888E922D50EAF5A8
SHA-512:	4FBDCFEFE36EA92AC5BC727709FD628DD31BE420A13E0C52B3692D693EC2233AECA0D5534DB5ECA74E6845A7B5445D36808BA560CA52D4501783FE1C362AB91A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\splashscreen.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	172608
Entropy (8bit):	6.8870074345995835
Encrypted:	false
MD5:	59CCC6C221B601976D52992892677792
SHA1:	5A2E10F5EF2A4AD8624D876326E4251EB424AD02
SHA-256:	42247ACC44529F8C5B018F6492B8DED0374CCB79D64B7B0EA24F13D714C709A8
SHA-512:	5C80D9E94314F2161CC7A04EFF108AE766CAD3196C1ADFCA8268EE7D183009B3070FB7FE9B10D02FA8FB9CEBE444F4E2390B3AA9E7852121057FFEFACA5676F2
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\ssv.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	473664
Entropy (8bit):	5.524434973278149
Encrypted:	false
MD5:	BD4371D3E2BEC0E53D92DB35F1718B3D
SHA1:	0CA1AE40DB99DA7F06904927266077C878DF281D
SHA-256:	BE636A680F0E47499E27BDA6A1740899355342DC67106D8019EEA79E3DAAB3E4
SHA-512:	FB07E913F85DFEEE2063A6898EC6045BDA4ECAC052C7BD40890C9ADC2A46B1B5526D0A5900446644DF1932BEA2F3C81A38819C8198F7E1D2DFEBE00770697F16
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\ssvagent.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (GUI) Intel 80386, for MS Windows
Size (bytes):	53312
Entropy (8bit):	6.37123457050816
Encrypted:	false
MD5:	0953A0264879FD1E655B75B63B9083B7
SHA1:	4F99FFA90E907154C41BB29EFC64EBC55FFD62F6
SHA-256:	AEA64C1FDF831BE78548F730E1A968109C16502B36339B7193D5ED9290E12A9A
SHA-512:	26FBA4D18A2FE47DAEE48B34B8E83AAABD5B016A15284D119473EEB285362E5E460CC9DE07265BDB1389C907140D3FBED20A0A9BA44335AEA2A64B45C29C775A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\sunec.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	124480
Entropy (8bit):	6.723633638404497
Encrypted:	false
MD5:	CE59E7C4785D24648B9A18283786ED69
SHA1:	62B2EC58F57BD55373FE3E38DE1A43AB4BFBB6D0
SHA-256:	E6E60A61E9A234DC5E43FFF69819E60177B6E7FEF944F90BF70B71814751E12D
SHA-512:	D731E818D05F7C61E57AD6A9A55943AAD8652450EBE0FAD6932062C9065E802D09862C52473F272FF6D18162A299A4997AD5475815CB34726BB2860E8302C22D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\sunmscapi.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	25664
Entropy (8bit):	6.535701887135711
Encrypted:	false
MD5:	F1B1650E37BE20620B8965FDA8A46D31
SHA1:	DDDA43BE6E11CFA4CA9F622EF0AA0D37DCFDD453
SHA-256:	C5A9CCD62BCBC32B15124E55B2E0F261F832B272B417659612FDDAE50130789E
SHA-512:	583EC532CFD8604F49DDCE40B4905C34E5A31ABAFE841F32F801140CA7D063A93DF20884736D407EC86F9AE434F06D58AFCCDB2D25D8DCB9493C168DB5787F40
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\t2k.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	195136
Entropy (8bit):	6.810118270104807
Encrypted:	false
MD5:	8C2C86D734FBB74BCFA007D5157E43A7
SHA1:	70807C74CC35AF544398987A172149A115F07335
SHA-256:	C427B9641CBF56521D1DD28D6D4AC3DDBE3D97913FA79A5F70D4F39A048C510D
SHA-512:	521455A3F7624D56B16CC964DF4D3C8725754B16299B16E6B7CC9FA56EB9B5D800978B4964782163E4252B1AD644193D8F711C03E2618DC1664F843E7D706E2C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\tnameserv.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	16448
Entropy (8bit):	6.387812058951438
Encrypted:	false
MD5:	BD2E700AB5082D85B61D0341F9BB8691
SHA1:	E4E767ED8D813090752C4EDBFA4E3C069986DC1C
SHA-256:	B30FEB46909131DDE043116BFF14131C762E74A79588268C75024B5DF67C1757
SHA-512:	0204A2045ACF6052BE7B780F1E1A414DE5FD1F2179B5BEB8C2073202531182C50C1C16D0D176C7521E96D7047DF4BB45C5BB2FB272D9C929DAACCA95EBA057D1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\unpack.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	65600
Entropy (8bit):	6.465446609181315
Encrypted:	false
MD5:	E6B031C2097F849C48C4EB7C7D0027DF
SHA1:	EFEE8DEA79B42E08A7C9B9CA2617F8C86A771AAC
SHA-256:	D4802F4C6251ABF6C034AD7DE7538BDB7EBBF86D87110FB760761D7C91E1F81F
SHA-512:	0F15A0637518CD624ACF2FF2EA38FB0A31341648706036D867F1785FD7414D0A6F5C107AA679E975BD5AABE8A909CCE4AF4D02C6BC33B6CFDDD7CB30FA4F6D54
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\unpack200.exe
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (console) Intel 80386, for MS Windows
Size (bytes):	159296
Entropy (8bit):	6.026169462502375
Encrypted:	false
MD5:	E55FB75F64D7723BA0630B52396D03A6
SHA1:	617DBDB3607F5423DEEE728621284F27F5B69E73
SHA-256:	D0F820C6B941DEE4CDABE6070C913D3BCF9CC750C50A2741815D549E871C610D
SHA-512:	1E765915C6208A9ED5599CAD47BBA11154D6DC6031791DB00AB5F478528CFE03404C4AC942D9F80B714E179B0D2319DA73BFA2A313B0FE178312DCBE92AF84F3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\verify.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	39488
Entropy (8bit):	6.768256744125568
Encrypted:	false
MD5:	2F45BAB42DCC4A830FD30E457B3A30E8
SHA1:	A2821F73D81CA97FF51BA5B2771F09561355086B
SHA-256:	02E2D0951788C50F7CA8BFB0A719178AAF2B8B67629555A4EF542AA28D6EE62F
SHA-512:	7E4534ECD5681A7C56B1D47CCD77E73E6D47AFF5390A2A3B1AA6DC4ABE1148F331E4BFCE52A29A6A04BD26B5291DC4B2442FBEFB9AC3FEE566EB79F11A88B17B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\w2k_lsa_auth.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	21568
Entropy (8bit):	6.492511421201272
Encrypted:	false
MD5:	4D9F8A7D1EE7C5E5A709D0FE4FC5118F
SHA1:	500D3166F42005DF502F91C8A7767663CBC67EC6
SHA-256:	EB282D9031BA6352258F7FDE377B0DDD60CC2A5738C3FB3F8A1DE2F8B120231C
SHA-512:	E45B36F9CDF54F8B390DCDA0C53F104D4BB65FB3F541CF671AF69ECF015BC880C7EB0993D0AA53AAD28D7C2E7E7DF6CEF505F274336FA977C4298FF60AB5B8F7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\wsdetect.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	163904
Entropy (8bit):	6.523891863837923
Encrypted:	false
MD5:	C48B3B8BA057973E0286CA824FDD1D7F
SHA1:	23EFC3584F0A6C683FFA617D7FC9A5F7A275D633
SHA-256:	DCAE55A82936EF90837D3FE52932FAC70588E1F5693FFB963ED51852ACC52C20
SHA-512:	BF761E6E5CB0658768E28BA6B493B1499C2049FACE08D6797D8397CB61A08CE4B3E8078DBCF01D8C2AEFD3F7C540C7D66182AB6E03822906432B3E99297B5B70
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\bin\zip.dll
Process:	C:\Windows\System32\xcopy.exe
File Type:	PE32 executable (DLL) (GUI) Intel 80386, for MS Windows
Size (bytes):	69696
Entropy (8bit):	6.9019335811402085
Encrypted:	false
MD5:	5027E34576336A23C1CF4F453960D671
SHA1:	40BA0778C947573E3898F5B9AF26A6A326B23190
SHA-256:	8BE9D547FD06A1363A8753786118B2FF03DD3D9F7DFD7E80DA60F54003750BB7
SHA-512:	CD519928488958EDBE3D3A4CCC2147E8306F4D48BA1BB1723840FF6B81AF9A7D91EE95989007601CE84C4DC7492AAE07ABCE65F9F7DC3F2F3A668ED83EBCBB61
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\accessibility.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	149
Entropy (8bit):	4.5583760292766256
Encrypted:	false
MD5:	2ED483DF31645D3D00C625C00C1E5A14
SHA1:	27C9B302D2D47AAE04FC1F4EF9127A2835A77853
SHA-256:	68EF2F3C6D7636E39C6626ED1BD700E3A6B796C25A9E5FECA4533ABFACD61CDF
SHA-512:	4BF6D06F2CEAF070DF4BD734370DEF74A6DD545FD40EFD64A948E1422470EF39E37A4909FEEB8F0731D5BADB3DD9086E96DACE6BDCA7BBD3078E8383B16894DA
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\calendars.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1378
Entropy (8bit):	5.180680535922269
Encrypted:	false
MD5:	40A6F317D17705B4D0241F4EBB45962D
SHA1:	42EBB0988124433B8F2A6E5D9A74ED41240BCFC6
SHA-256:	D93FB6D3451D1B82256B0E31AAE7850152FA5DF76F116A9D669AA4ACE6BB68B4
SHA-512:	E4C95F8F1354833F440672C0761CE1B4895DAA52E7F143A110533F978CC6C094847AEB66636EFA6DE74B0E900FBBE79A3CC21280C4063627CE8D259068084A3A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\charsets.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	3036922
Entropy (8bit):	6.609469278227629
Encrypted:	false
MD5:	71A9DA9BDDB48DF2187E0AC057BC5AF4
SHA1:	2EDCCA356704CC44EB747BCD49D915E099531025
SHA-256:	68E572F60C1046D7304F4690F411119B6F0257009EA6678F72031C6B8D9FFEAB
SHA-512:	B03B3256394C0D37AC3F32A13713476A7D3851E937290E23CEAF63E65E9770C5D87355428799C03075C4410D7B86FDF719B92CFAC1814D5E80E3B0EA1D4217FE
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\classlist
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	84355
Entropy (8bit):	4.927199323446014
Encrypted:	false
MD5:	7FC71A62D85CCF12996680A4080AA44E
SHA1:	199DCCAA94E9129A3649A09F8667B552803E1D0E
SHA-256:	01FE24232D0DBEFE339F88C44A3FD3D99FF0E17AE03926CCF90B835332F5F89C
SHA-512:	B0B9B486223CF79CCF9346AAF5C1CA0F9588247A00C826AA9F3D366B7E2EF905AF4D179787DCB02B32870500FD63899538CF6FAFCDD9B573799B255F658CEB1D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\CIEXYZ.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	Sun KCMS ICC Profile
Size (bytes):	51236
Entropy (8bit):	7.226972359973779
Encrypted:	false
MD5:	10F23396E21454E6BDFB0DB2D124DB85
SHA1:	B7779924C70554647B87C2A86159CA7781E929F8
SHA-256:	207D748A76C10E5FA10EC7D0494E31AB72F2BACAB591371F2E9653961321FE9C
SHA-512:	F5C5F9FC3C4A940D684297493902FD46F6AA5248D2B74914CA5A688F0BAD682831F6060E2264326D2ECB1F3544831EB1FA029499D1500EA4BFE3B97567FE8444
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\GRAY.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	Sun KCMS ICC Profile
Size (bytes):	632
Entropy (8bit):	3.7843698642539247
Encrypted:	false
MD5:	1002F18FC4916F83E0FC7E33DCC1FA09
SHA1:	27F93961D66B8230D0CDB8B166BC8B4153D5BC2D
SHA-256:	081CAAC386D968ADD4C2D722776E259380DCF78A306E14CC790B040AB876D424
SHA-512:	334D932D395B46DFC619576B391F2ADC2617E345AFF032B592C25E333E853735DA8B286EF7542EB19059CDE8215CDCEA147A3419ED56BDD6006CA9918D0618E1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\LINEAR_RGB.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	ICC Profile
Size (bytes):	1044
Entropy (8bit):	6.510788634170065
Encrypted:	false
MD5:	A387B65159C9887265BABDEF9CA8DAE5
SHA1:	7913274C2F73BAFCF888F09FF60990B100214EDE
SHA-256:	712036AA1951427D42E3E190E714F420CA8C2DD97EF01FCD0675EE54B920DB46
SHA-512:	359D9B57215855F6794E47026C06036B93710998205D0817C6E602B2A24DAEB92537C388F129407461FC60180198F02A236AEB349A17430ED7AC85A1E5F71350
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\PYCC.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	Sun KCMS ICC Profile
Size (bytes):	274474
Entropy (8bit):	7.84329081962271
Encrypted:	false
MD5:	24B9DEE2469F9CC8EC39D5BDB3901500
SHA1:	4F7EED05B8F0EEA7BCDC8F8F7AAEB1925CE7B144
SHA-256:	48122294B5C08C69B7FE1DB28904969DCB6EDC9AA5076E3F8768BF48B76204D0
SHA-512:	D23CE2623DE400216D249602486F21F66398B75196E80E447143D058A07438919A78AE0ED2DDF8E80D20BD70A635D51C9FB300E9F08A4751E00CD21883B88693
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\cmm\sRGB.pf
Process:	C:\Windows\System32\xcopy.exe
File Type:	Microsoft ICM Color Profile
Size (bytes):	3144
Entropy (8bit):	7.02686707094517
Encrypted:	false
MD5:	1D3FDA2EDB4A89AB60A23C5F7C7D81DD
SHA1:	9EAEA0911D89D63E39E95F2E2116EAEC7E0BB91E
SHA-256:	2B3AA1645779A9E634744FAF9B01E9102B0C9B88FD6DECED7934DF86B949AF7E
SHA-512:	16AAE81ACF757036634B40FB8B638D3EBA89A0906C7F95BD915BC3579E3BE38C7549EE4CD3F344EF0A17834FF041F875B9370230042D20B377C562952C47509B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\content-types.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	5548
Entropy (8bit):	5.037985807321916
Encrypted:	false
MD5:	F507712B379FDC5A8D539811FAF51D02
SHA1:	82BB25303CF6835AC4B076575F27E8486DAB9511
SHA-256:	46F47B3883C7244A819AE1161113FE9D2375F881B75C9B3012D7A6B3497E030A
SHA-512:	CB3C99883336D04C42CEA9C2401E81140ECBB7FC5B8EF3301B13268A45C1AC93FD62176AB8270B91528AC8E938C7C90CC9663D8598E224794354546139965DFE
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\currency.data
Process:	C:\Windows\System32\xcopy.exe
File Type:	data
Size (bytes):	4122
Entropy (8bit):	3.2585384283455134
Encrypted:	false
MD5:	F6258230B51220609A60AA6BA70D68F3
SHA1:	B5B95DD1DDCD3A433DB14976E3B7F92664043536
SHA-256:	22458853DA2415F7775652A7F57BB6665F83A9AE9FB8BD3CF05E29AAC24C8441
SHA-512:	B2DFCFDEBF9596F2BB05F021A24335F1EB2A094DCA02B2D7DD1B7C871D5EECDA7D50DA7943B9F85EDB5E92D9BE6B6ADFD24673CE816DF3960E4D68C7F894563F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	5040094
Entropy (8bit):	6.573497543849042
Encrypted:	false
MD5:	1D7AD5C5FC6A534A54DF5351FB8DAC86
SHA1:	E6A3368FE256FBE94B0E2A6786B25B4B0A975374
SHA-256:	B2E00F2AF389FDF05EBB406C410DCC5B8607233FE436DC8478BDB70704C25B89
SHA-512:	A2DF8D0B6C70E6C3607A8C8189F6E287B151F506CF847BC0D27BFEAD9959CD39D4DA87925E05DA6B51DF2341F5C1BAC402D74888CC562533A8BA864BD498D560
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\ffjcext.zip
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v1.0 to extract
Size (bytes):	14156
Entropy (8bit):	5.722739852133991
Encrypted:	false
MD5:	C440DB3D4FFE81B41794241627358368
SHA1:	110FB6CEDFDE24074737E03476856B0E80ED5297
SHA-256:	27242EC49C1A972119982DB273EB718D491ED7F4C76C687436F7D40A2FFF791B
SHA-512:	FF1C0917BF2A2581AFC89A7E73A9FEA8BAB6243F1354A6F6904353F63D1CBA57D7FDDEBCFD5504D01F61C19BCCD5535092DFC73A692880B0718D67207FA374F9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2860
Entropy (8bit):	4.793521742012267
Encrypted:	false
MD5:	811BAFA6F97801186910E9B1D9927FE2
SHA1:	DC52841C708E3C1EB2A044088A43396D1291BB5E
SHA-256:	926CCADAEC649F621590D1AA5E915481016564E7AB28390C8D68BDAAF4785F1F
SHA-512:	5AE9C27DCE552EA32603B2C87C1510858F86D9D10CADE691B2E54747C3602FE75DE032CF8917DCD4EE160EE4CC5BE2E708B321BB1D5CDEBFA9FE46C2F870CA7C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_de.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3306
Entropy (8bit):	4.888605396125911
Encrypted:	false
MD5:	D77C3B5274B8161328AB5C78F66DD0D0
SHA1:	D989FE1B8F7904888D5102294EBEFD28D932ECDB
SHA-256:	C9399A33BB9C75345130B99D1D7CE886D9148F1936543587848C47B8540DA640
SHA-512:	696E28B6BC7E834C51AB9821D0D65D1A32F00EB15CAA732047B751288EA73D8D703D3152BF81F267147F8C1538E1BF470748DF41176392F10E622F4C7708DD92
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_es.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3600
Entropy (8bit):	4.745461525350421
Encrypted:	false
MD5:	6D32848BD173B9444B71922616E0645E
SHA1:	1B0334B79DB481C3A59BE6915D5118D760C97BAA
SHA-256:	BE987D93E23AB7318DB095727DEDD8461BA6D98B9409EF8FC7F5C79FA9666B84
SHA-512:	8E9E92D3229FF80761010E4878B4A33BFB9F0BD053040FE152565CFB2819467E9A92609B3786F9BDBF0D7934CF3C7D20BC3369FE1AD7D0DF7FADF561C3FDCA3C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_fr.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3409
Entropy (8bit):	4.800862996269612
Encrypted:	false
MD5:	C11AB66FEDE3042EE75DFD19032C8A72
SHA1:	69BD2D03C2064F8679DE5B4E430EA61B567C69C5
SHA-256:	8DEEEC35ED29348F5755801F42675E3BF3FA7AD4B1E414ACCA283C4DA40E4D77
SHA-512:	072F8923DF111F82F482D65651758B8B4BA2486CB0EA08FB8B113F472A42A1C3BCB00DAE7D1780CF371E2C2BD955D8B66658D5EE15E548B1EEA16B312FDCBDF9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_it.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3223
Entropy (8bit):	4.671266438569993
Encrypted:	false
MD5:	A81C4B0F3BF9A499429E14A881010EF6
SHA1:	DBE49949308F28540A42AE6CD2AD58AFBF615592
SHA-256:	550954F1F80FE0E73D74EB10AD529B454D5EBC626EB94A6B294D7D2ACF06F372
SHA-512:	6FED61CBCD7FE82C15C9A312ACED9D93836EBCFFAF3E13543BC9DD8B4C88400C371D2365FEEE0F1BB844A6372D4128376568A5B6FE666FD6213636FCBD8C7791
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_ja.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	6349
Entropy (8bit):	4.575777726495054
Encrypted:	false
MD5:	B7279F1C3BA0B63806F37F6B9D33C314
SHA1:	751170A7CDEFCB1226604AC3F8196E06A04FD7AC
SHA-256:	8D499C1CB14D58E968A823E11D5B114408C010B053B3B38CFEF7EBF9FB49096F
SHA-512:	4A3BF898A36D55010C8A8F92E5A784516475BDFFFCD337D439D6DA251DDB97BCC7E26F104AC5602320019ED5C0B8DC8883B2581760AFEA9C59C74982574D164B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_ko.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	5712
Entropy (8bit):	4.758283080201436
Encrypted:	false
MD5:	FED33982E349F696EF21E35ED0DBBDE3
SHA1:	BF9E055B5AB138AD6D49769E2B7630B7938848D6
SHA-256:	D9C95C31B4C1092F32BDCF40D5232B31CC09FB5B68564067C1C2A5F59D3869FA
SHA-512:	88B16B7C3ACFED2FC4B1E3A14006FEF532147EB1E2930D8966E90629069462FB2E8CBF65F561E6CBC9A946F39D1866583CB02D6BB84C60C71428F489DAAA61EF
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_pt_BR.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3285
Entropy (8bit):	4.837889715420947
Encrypted:	false
MD5:	ED15A441A20EA85C29521A0C7C8C3097
SHA1:	24E4951743521AB9A11381C77BD0CDB1ED30F5B5
SHA-256:	4140663A49040FF191C07D2D04588402263EC2E1679A9A1A79B790A137EE7FB8
SHA-512:	BE5F0639DE6B0AC95792987D0AF83CA77495F7F49953698C8B18692DE982F77B68FE63159E8CD7537D62A71209A9FFABBECF046AD82D8341F613D39F180F9C83
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_sv.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3409
Entropy (8bit):	4.897253332398416
Encrypted:	false
MD5:	A6005BE45C88900A15BC80D461B60C30
SHA1:	CA3E18B5AEA928A8465656C86970D9584D85EF7F
SHA-256:	5CCEE63720FCAC2A136CF1FA90CBAC05040F89FFE8C082C2D067247BFCD76B87
SHA-512:	9442FFB47BF0F158A44A81A16B2AB94BB36FAC2F75B0C9467654AB9A8DF26A63C0C7A7717DEAF5476068BC0A0D602B828CE1E8D229CBFAAF201C24C0F78BE1F9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_zh_CN.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	4072
Entropy (8bit):	5.01527031899567
Encrypted:	false
MD5:	E6F84C081895ACDFD98DA0F496E1DD3D
SHA1:	1C2B96673DDDD3596890EF4FC22017D484A1F652
SHA-256:	A1752A0175F490F61E0AAD46DC6887C19711F078309062D5260E164AC844F61A
SHA-512:	D4D28780147E22678CD8E7415CACFAD533AE5AF31D74426BBE4993F05A0707E4F0F71D948093FFA1A0D6EA48310E901CD0ED1C14E2FBDF69C92462D070A9664F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_zh_HK.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3752
Entropy (8bit):	5.149369030063069
Encrypted:	false
MD5:	880BAACB176553DEAB39EDBE4B74380D
SHA1:	37A57AAD121C14C25E149206179728FA62203BF0
SHA-256:	FF4A3A92BC92CB08D2C32C435810440FD264EDD63E56EFA39430E0240C835620
SHA-512:	3039315BB283198AF9090BD3D31CFAE68EE73BC2B118BBAE0B32812D4E3FD0F11CE962068D4A17B065DAB9A66EF651B9CB8404C0A2DEFCE74BB6B2D1D93646D5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\messages_zh_TW.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	3752
Entropy (8bit):	5.149369030063069
Encrypted:	false
MD5:	880BAACB176553DEAB39EDBE4B74380D
SHA1:	37A57AAD121C14C25E149206179728FA62203BF0
SHA-256:	FF4A3A92BC92CB08D2C32C435810440FD264EDD63E56EFA39430E0240C835620
SHA-512:	3039315BB283198AF9090BD3D31CFAE68EE73BC2B118BBAE0B32812D4E3FD0F11CE962068D4A17B065DAB9A66EF651B9CB8404C0A2DEFCE74BB6B2D1D93646D5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\splash.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 320 x 139
Size (bytes):	8590
Entropy (8bit):	7.91068877181633
Encrypted:	false
MD5:	249053609EAF5B17DDD42149FC24C469
SHA1:	20E7AEC75F6D036D504277542E507EB7DC24AAE8
SHA-256:	113B01304EBBF3CC729A5CA3452DDA2093BD8B3DDC2BA29E5E1C1605661F90BE
SHA-512:	9C04A20E2FA70E4BCFAC729E366A0802F6F5167EA49475C2157C8E2741C4E4B8452D14C75F67906359C12F1514F9FB7E9AF8E736392AC8434F0A5811F7DDE0CB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\splash@2x.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 640 x 278
Size (bytes):	15276
Entropy (8bit):	7.949850025334252
Encrypted:	false
MD5:	CB81FED291361D1DD745202659857B1B
SHA1:	0AE4A5BDA2A6D628FAC51462390B503C99509FDC
SHA-256:	9DD5CCD6BDFDAAD38F7D05A14661108E629FDD207FC7776268B566F7941E1435
SHA-512:	4A383107AC2D642F4EB63EE7E7E85A8E2F63C67B41CA55EBAE56B52CECFE8A301AAF14E6536553CBC3651519DB5C10FC66588C84C9840D496F5AE980EF2ED2B9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\splash_11-lic.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 320 x 139
Size (bytes):	7805
Entropy (8bit):	7.877495465139721
Encrypted:	false
MD5:	9E8F541E6CEBA93C12D272840CC555F8
SHA1:	8DEF364E07F40142822DF84B5BB4F50846CB5E4E
SHA-256:	C5578AC349105DE51C1E9109D22C7843AAB525C951E312700C73D5FD427281B9
SHA-512:	2AB06CAE68DEC9D92B66288466F24CC25505AF954FA038748D6F294D1CFFB72FCC7C07BA8928001D6C487D1BF71FE0AF1B1AA0F35120E5F6B1B2C209BA596CE2
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\deploy\splash_11@2x-lic.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 640 x 278
Size (bytes):	12250
Entropy (8bit):	7.901446927123525
Encrypted:	false
MD5:	3FE2013854A5BDAA488A6D7208D5DDD3
SHA1:	D2BFF9BBF7920CA743B81A0EE23B0719B4D057CA
SHA-256:	FC39D09D187739E580E47569556DE0D19AF28B53DF5372C7E0538FD26EDB7988
SHA-512:	E3048E8E0C22F6B200E5275477309083AA0435C0F33D1994C10CE65A52F357EE7CF7081F85C00876F438DFA1EE59B542D602287EC02EA340BFDF90C0C6ABD548
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\access-bridge.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	188012
Entropy (8bit):	7.794785337394973
Encrypted:	false
MD5:	AF5FD514E64C0E798688CC83A28982FE
SHA1:	ABFFC10867B3CE2CB32CAF93FC8A33F923E5B41B
SHA-256:	2ED6A07A0164728D4D0E50AB9803471457828209C1B96A82A209FF1DB7E50388
SHA-512:	FADD7A4B35A770E30FD1281B861F1BFE66DC46FA4AE603E81BFE4BA38AD70E56879489F0439E27BC0A4705CD3441D9CA3C7B4B5C884211B222DEFEC098682D67
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\cldrdata.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	3860502
Entropy (8bit):	7.967110166946304
Encrypted:	false
MD5:	112FB212834B8CD9A2EBB269EBEC3560
SHA1:	56F54779C753BA9AAF40E16C86AF51C6C59A78C9
SHA-256:	24B3009F8A14EA95D08BC7AA44D6481C05A0B367464A7FF4FD7B11B378967474
SHA-512:	81332292BBB505EA4995067253371044BC99E6CD6066CAF8AC8A8D289886C6BF301A57CA51EBD30AAF36C7581BE0FA2F3491E1F5A4F6FB1CF14E311105F961A4
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\dnsns.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	8286
Entropy (8bit):	7.790908721617481
Encrypted:	false
MD5:	7F5886AFA9E26062659E8E4F78F91CC5
SHA1:	5C5A4EE968118B528A615D07EE2A47CFA160E9C5
SHA-256:	DFF1A41376A33D933315233466E109654A5E694EA82E60DD1F08234BF3D7D613
SHA-512:	01CA8D0F3BA1CCD91A3FE0668A3225929A0D83BD6A7EDFD1EBB30B387472078F92F0C69CD7A09FCF8732C9A67FEEEEAA72D8D5599FFF225B4528262012519B8D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\jaccess.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	44516
Entropy (8bit):	7.905234114504163
Encrypted:	false
MD5:	421565D53CB42730B180887B6AC65FA5
SHA1:	551AFDCCD73889FDA04B0A0260A183E0FC82848A
SHA-256:	D1FC2A11C93796805CB8CEDA8B887AB0DD563170DAF57B3DC608087850098650
SHA-512:	0D91781D4BDD5EF706ADFA958A54FB52C1626A53427E7D2116338F169EF5F9876CD412F899075F74A32933168C09FCD8603000D95ACEFDFB2CB3452DA43F35AB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\jfxrt.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	18246294
Entropy (8bit):	5.972084743908922
Encrypted:	false
MD5:	7512477182118E114F880B7E9C3A8805
SHA1:	153A0ACC31FB0C1EBED2BB6D3A571C7B1EB901D9
SHA-256:	E789E3D87235676291929510E9DDC396F895E432E5DCBFC8186EAFECB80588BD
SHA-512:	2E966B007AC9D4CD5E8F10BA923D91F92815097C63D86DD1B8B183D86870BE2D0D3034469429DCBADE9A9052B1EF37E5379DFE5FCB5E948ABE6D8030A4F0D823
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\localedata.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	2204781
Entropy (8bit):	6.726101980841087
Encrypted:	false
MD5:	66131040C8675D6737960168336CB9F9
SHA1:	24EE51CABF485401128374FF350D94C242A3F9AF
SHA-256:	A9D716FA659FF3B15D3F832D0FDB6247533A5612374DA77244FFCBB8A4806671
SHA-512:	9C40CF3E2A4872D3783908B33E043C27966442641A2BFF9D7345C6F47096C2BE8BF4CDE81F04A6C9A45437E9804A38BF9ABFA4C8D1B699A3412B6B9531168A7D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\meta-index
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	1511
Entropy (8bit):	5.142622776492156
Encrypted:	false
MD5:	77ABE2551C7A5931B70F78962AC5A3C7
SHA1:	A8BB53A505D7002DEF70C7A8788B9A2EA8A1D7BC
SHA-256:	C557F0C9053301703798E01DC0F65E290B0AE69075FB49FCC0E68C14B21D87F4
SHA-512:	9FE671380335804D4416E26C1E00CDED200687DB484F770EBBDB8631A9C769F0A449C661CB38F49C41463E822BEB5248E69FD63562C3D8C508154C5D64421935
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\nashorn.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	2022734
Entropy (8bit):	7.9338527754995205
Encrypted:	false
MD5:	B6FC1592D5DE1707B6CEE8CAE52E796F
SHA1:	E194936FC3846AE3E00409CE61459ED42A4CFC2E
SHA-256:	F2F258AEC5174CACBFD1BD859906D9A1085526CBCE3F8201E13E60298C60B43D
SHA-512:	4D1030F595F57079D634C28B728CAC65AA9592967064969E01F45B9B4429101EC48E3FB08C0D1ABC689B1120E620BD4A84D78AAF478B8063AF6E0CD9717E508C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\sunec.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	42185
Entropy (8bit):	7.936419302261415
Encrypted:	false
MD5:	0E114D00E6C5B9628591F57DFCAEEBA5
SHA1:	9EDF0F7C3CDD91CF3596EDF9970074112CF13D3C
SHA-256:	0D3E6AA1B72A44CB103A928DB6E8E60F9D90F505A128A6E93AD8DEAA067FB57D
SHA-512:	13386DB66FB6864AEFC49902137C9B0265A40B72E75452AF92AC90A63D4CE66460C670B5D684B2C20FEBF703AB6B7980E4543402C7315D126CA318A825917118
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\sunjce_provider.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	280161
Entropy (8bit):	7.90285824775341
Encrypted:	false
MD5:	35301F5D8B9390A4F8D293856F2C5722
SHA1:	3E03B24852BF437DFAE6A779E270EEE60AF5B641
SHA-256:	2B7AF7DE33F3D565C79794AC7B1454CF5CBDB94BB098C58D1D24A171FE82CF96
SHA-512:	09862D625B35E71BE2710AD3B106AE9E7AD87BDEB81F11317B9D1F18A8260F7DE8114085DFFF0FF2C7283CA5A1125CFC91ED2E1EAEAAE9A1F5C5386AF094E935
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\sunmscapi.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	32699
Entropy (8bit):	7.878192531974338
Encrypted:	false
MD5:	2249EAC4F859C7BC578AFD2F7B771249
SHA1:	76BA0E08C6B3DF9FB1551F00189323DAC8FC818C
SHA-256:	A0719CAE8271F918C8613FEB92A7591D0A6E7D04266F62144B2EAB7844D00C75
SHA-512:	DB5415BC542F4910166163F9BA34BC33AF1D114A73D852B143B2C3E28F59270827006693D6DF460523E26516CAB351D2EE3F944D715AE86CD12D926D09F92454
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\sunpkcs11.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	251327
Entropy (8bit):	7.951485363771875
Encrypted:	false
MD5:	9F5ABE7CCB653F571167E27822DF93D2
SHA1:	97F0F18B2D0A5ED5A01A682027EFA9FB8BAE1A5C
SHA-256:	2AAD2465AB8903C7F66A46B34D0D4ECBEEA72D44AFEDAAC9822E48B5B175595D
SHA-512:	629F56D9EB6A4634A54A2DC207D02F6BF94849DEAA4D0A093C7709AC4AB651881CDEED547D466F2679968F4B7896CD553F61A6FC6583EDE90A2053F09864669A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\ext\zipfs.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	68924
Entropy (8bit):	7.951088346929364
Encrypted:	false
MD5:	FC8544F0BF51BF16619012E933887051
SHA1:	95C27ED2B9D49B249793685FE4C2BAAD3272A3C6
SHA-256:	683493E2393EB0964D2423AA5633BCC3E4EF0FF720D39607FA60DEFF9DADF879
SHA-512:	6008EE3B052AFCE66D3A6528877A0E891680D008A27729F30BC2B372E6B79CE826B2782BE92B2F08B94DFFE6546FA068850919DBC79525CAABBA92B0ACC29595
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\flavormap.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	3928
Entropy (8bit):	4.866168914342862
Encrypted:	false
MD5:	D8B47B11E300EF3E8BE3E6E50AC6910B
SHA1:	2D5ED3B53072B184D67B1A4E26AEC2DF908DDC55
SHA-256:	C2748E07B59398CC40CACCCD47FC98A70C562F84067E9272383B45A8DF72A692
SHA-512:	8C5F3E1619E8A92B9D9CF5932392B1CB9F77625316B9EEF447E4DCE54836D90951D9EE70FFD765482414DD51B816649F846E40FD07B4FBDD5080C056ADBBAE6F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fontconfig.bfc
Process:	C:\Windows\System32\xcopy.exe
File Type:	raw G3 data
Size (bytes):	3770
Entropy (8bit):	4.414778819875263
Encrypted:	false
MD5:	827F00E05F3C5272AEF3BF456CF52BF5
SHA1:	280EF454A4644D1E17C7AFAC3B94249ED6BBDCBE
SHA-256:	0F2265F0113A757C15D51FA53409D630478378FD0856EF547780B40AC6C87156
SHA-512:	F6F4F9B7EEEA090081CC0FFE9D2DB705F832CF0AF9882B00AC97ECAE89F8C77A8D62EB6F224D78B7195172EDCFF74CD21A2459A7ED9CD6DDB29B3CC32398C4BC
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fontconfig.properties.src
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	10568
Entropy (8bit):	5.183430724132545
Encrypted:	false
MD5:	A15D4F6635BFB05282B88458D33C1309
SHA1:	A3D930002D0C8BF2FD263CB21EC089D233FFF106
SHA-256:	115B2049DE908E5D9BAD5BDE2ED035E85A7ADE35BF323BFD3D491A8C218146F1
SHA-512:	9B089BD2723F11BDEFA2CE1BE5804C595811BECD8F1ED922E0CFB43DC4C8CEE637E5AE2594A8F3B2B50B750174C9EDB7E30BF7451D6EFA5ECA8741EE86D8205C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaBrightDemiBold.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	75144
Entropy (8bit):	6.8494205410017335
Encrypted:	false
MD5:	AF0C5C24EF340AEA5CCAC002177E5C09
SHA1:	B5C97F985639E19A3B712193EE48B55DDA581FD1
SHA-256:	72CEE3E6DF72AD577AF49C59DCA2D0541060F95A881845950595E5614C486244
SHA-512:	6CE87441E223543394B7242AC0CB63505888B503EC071BBF7DB857B5C935B855719B818090305E17C1197DE882CCC90612FB1E0A0E5D2731F264C663EB8DA3F9
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaBrightDemiItalic.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	75124
Entropy (8bit):	6.805969666701277
Encrypted:	false
MD5:	793AE1AB32085C8DE36541BB6B30DA7C
SHA1:	1FD1F757FEBF3E5F5FBB7FBF7A56587A40D57DE7
SHA-256:	895C5262CDB6297C13725515F849ED70609DBD7C49974A382E8BBFE4A3D75F8C
SHA-512:	A92ADDD0163F6D81C3AEABD63FF5C293E71A323F4AEDFB404F6F1CDE7F84C2A995A30DFEC84A9CAF8FFAF8E274EDD0D7822E6AABB2B0608696A360CABFC866C6
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaBrightItalic.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	80856
Entropy (8bit):	6.821405620058843
Encrypted:	false
MD5:	4D666869C97CDB9E1381A393FFE50A3A
SHA1:	AA5C037865C563726ECD63D61CA26443589BE425
SHA-256:	D68819A70B60FF68CA945EF5AD358C31829E43EC25024A99D17174C626575E06
SHA-512:	1D1F61E371E4A667C90C2CE315024AE6168E47FE8A5C02244DBF3DF26E8AC79F2355AC7E36D4A81D82C52149197892DAED1B4C19241575256BB4541F8B126AE2
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaBrightRegular.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	344908
Entropy (8bit):	6.939775499317556
Encrypted:	false
MD5:	630A6FA16C414F3DE6110E46717AAD53
SHA1:	5D7ED564791C900A8786936930BA99385653139C
SHA-256:	0FAAACA3C730857D3E50FBA1BBAD4CA2330ADD217B35E22B7E67F02809FAC923
SHA-512:	0B7CDE0FACE982B5867AEBFB92918404ADAC7FB351A9D47DCD9FE86C441CACA4DD4EC22E36B61025092220C0A8730D292DA31E9CAFD7808C56CDBF34ECD05035
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaSansDemiBold.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	317896
Entropy (8bit):	6.8695984804687455
Encrypted:	false
MD5:	5DD099908B722236AA0C0047C56E5AF2
SHA1:	92B79FEFC35E96190250C602A8FED85276B32A95
SHA-256:	53773357D739F89BC10087AB2A829BA057649784A9ACBFFEE18A488B2DCCB9EE
SHA-512:	440534EB2076004BEA66CF9AC2CE2B37C10FBF5CC5E0DD8B8A8EDEA25E3613CE8A59FFCB2500F60528BBF871FF37F1D0A3C60396BC740CCDB4324177C38BE97A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaSansRegular.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	698236
Entropy (8bit):	6.892888039120646
Encrypted:	false
MD5:	B75309B925371B38997DF1B25C1EA508
SHA1:	39CC8BCB8D4A71D4657FC92EF0B9F4E3E9E67ADD
SHA-256:	F8D877B0B64600E736DFE436753E8E11ACB022E59B5D7723D7D221D81DC2FCDE
SHA-512:	9C792EF3116833C90103F27CFD26A175AB1EB11286959F77062893A2E15DE44D79B27E5C47694CBBA734CC05A9A5BEFA72E991C7D60EAB1495AAC14C5CAD901D
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaTypewriterBold.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	234068
Entropy (8bit):	6.901545053424004
Encrypted:	false
MD5:	A0C96AA334F1AEAA799773DB3E6CBA9C
SHA1:	A5DA2EB49448F461470387C939F0E69119310E0B
SHA-256:	FC908259013B90F1CBC597A510C6DD7855BF9E7830ABE3FC3612AB4092EDCDE2
SHA-512:	A43CF773A42B4CEBF4170A6C94060EA2602D2D7FA7F6500F69758A20DC5CC3ED1793C7CEB9B44CE8640721CA919D2EF7F9568C5AF58BA6E3CF88EAE19A95E796
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\fonts\LucidaTypewriterRegular.ttf
Process:	C:\Windows\System32\xcopy.exe
File Type:	TrueType font data
Size (bytes):	242700
Entropy (8bit):	6.936925430880876
Encrypted:	false
MD5:	C1397E8D6E6ABCD727C71FCA2132E218
SHA1:	C144DCAFE4FAF2E79CFD74D8134A631F30234DB1
SHA-256:	D9D0AAB0354C3856DF81AFAC49BDC586E930A77428CB499007DDE99ED31152FF
SHA-512:	DA70826793C7023E61F272D37E2CC2983449F26926746605C550E9D614ACBF618F73D03D0C6351B9537703B05007CD822E42E6DC74423CB5CC736B31458D33B1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\hijrah-config-umalqura.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	13962
Entropy (8bit):	3.4283479014478493
Encrypted:	false
MD5:	1EDDFB1EE252055556F40CDC79632E98
SHA1:	84AA425100740722E91F4725CAF849E7863D12BA
SHA-256:	69BECFE0D45B62BBDBCF6FE111A8A3A041FB749B6CF38E8A2F670607E17C9EE2
SHA-512:	A0FDBF42FF105C9A2F12179124606A720DF8F32365605644E15600767E5732312777A58390FDB1A9B1C0B152CCC29496133B278A6E5736B38AF2B5FAB251D40C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\i386\jvm.cfg
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	623
Entropy (8bit):	4.956046853743129
Encrypted:	false
MD5:	9AEF14A90600CD453C4E472BA83C441F
SHA1:	10C53C9FE9970D41A84CB45C883EA6C386482199
SHA-256:	9E86B24FF2B19D814BBAEDD92DF9F0E1AE86BF11A86A92989C9F91F959B736E1
SHA-512:	481562547BF9E37D270D9A2881AC9C86FC8F928B5C176E9BAF6B8F7B72FB9827C84EF0C84B60894656A6E82DD141779B8D283C6E7A0E85D2829EA071C6DB7D14
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\cursors.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1280
Entropy (8bit):	4.9763389414972465
Encrypted:	false
MD5:	269D03935907969C3F11D43FEF252EF1
SHA1:	713ACB9EFF5F0B14A109E6C2771F62EAC9B57D7C
SHA-256:	7B8B63F78E2F732BD58BF8F16144C4802C513A52970C18DC0BDB789DD04078E4
SHA-512:	94D8EE79847CD07681645D379FEEF6A4005F1836AC00453FB685422D58113F641E60053F611802B0FF8F595B2186B824675A91BF3E68D336EF5BD72FAFB2DCC5
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\invalid32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 32 x 32
Size (bytes):	153
Entropy (8bit):	6.281310631983366
Encrypted:	false
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 31 x 32
Size (bytes):	165
Entropy (8bit):	6.347455736310775
Encrypted:	false
MD5:	89CDF623E11AAF0407328FD3ADA32C07
SHA1:	AE813939F9A52E7B59927F531CE8757636FF8082
SHA-256:	13C783ACD580DF27207DABCCB10B3F0C14674560A23943AC7233DF7F72D4E49D
SHA-512:	2A35311D7DB5466697D7284DE75BABEE9BD0F0E2B20543332FCB6813F06DEBF2457A9C0CF569449C37F371BFEB0D81FB0D219E82B9A77ACC6BAFA07499EAC2F7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_CopyNoDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 32 x 32
Size (bytes):	153
Entropy (8bit):	6.281310631983366
Encrypted:	false
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 31 x 32
Size (bytes):	168
Entropy (8bit):	6.465243369905675
Encrypted:	false
MD5:	694A59EFDE0648F49FA448A46C4D8948
SHA1:	4B3843CBD4F112A90D112A37957684C843D68E83
SHA-256:	485CBE5C5144CFCD13CC6D701CDAB96E4A6F8660CBC70A0A58F1B7916BE64198
SHA-512:	CF2DFD500AF64B63CC080151BC5B9DE59EDB99F0E31676056CF1AFBC9D6E2E5AF18DC40E393E043BBBBCB26F42D425AF71CCE6D283E838E67E61D826ED6ECD27
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_LinkNoDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 32 x 32
Size (bytes):	153
Entropy (8bit):	6.281310631983366
Encrypted:	false
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 31 x 32
Size (bytes):	147
Entropy (8bit):	6.147949937659802
Encrypted:	false
MD5:	CC8DD9AB7DDF6EFA2F3B8BCFA31115C0
SHA1:	1333F489AC0506D7DC98656A515FEEB6E87E27F9
SHA-256:	12CFCE05229DBA939CE13375D65CA7D303CE87851AE15539C02F11D1DC824338
SHA-512:	9857B329ACD0DB45EA8C16E945B4CFA6DF9445A1EF457E4B8B40740720E8C658301FC3AB8BDD242B7697A65AE1436FD444F1968BD29DA6A89725CDDE1DE387B8
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\images\cursors\win32_MoveNoDrop32x32.gif
Process:	C:\Windows\System32\xcopy.exe
File Type:	GIF image data, version 89a, 32 x 32
Size (bytes):	153
Entropy (8bit):	6.281310631983366
Encrypted:	false
MD5:	1E9D8F133A442DA6B0C74D49BC84A341
SHA1:	259EDC45B4569427E8319895A444F4295D54348F
SHA-256:	1A1D3079D49583837662B84E11D8C0870698511D9110E710EB8E7EB20DF7AE3B
SHA-512:	63D6F70C8CAB9735F0F857F5BF99E319F6AE98238DC7829DD706B7D6855C70BE206E32E3E55DF884402483CF8BEBAD00D139283AF5C0B85DC1C5BF8F253ACD37
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\javafx.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	56
Entropy (8bit):	4.413799564605679
Encrypted:	false
MD5:	5C163AB6E45D72F48CCDC2EDAE57D4E8
SHA1:	FBC2683F5F9FDAB1F23A730776250C6B95E903F2
SHA-256:	36844B3551981F82F1D5A1A12A15F617F3E59DBEC72CFAA419CBFDE2FD191737
SHA-512:	17F76F3F46ED2C408DDA8C236614EE881765B09375E3EE7E8D4B0BA8570457E0B5B6363D7A586A3FEB6201FE55C467E9D57AA3DD789E4E09DE8BB5903CA1DB07
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\javaws.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	944167
Entropy (8bit):	5.941860473529593
Encrypted:	false
MD5:	BB59038AE74BEA5D7A6A2F2976493817
SHA1:	972DA29CBF4221353D5EC1380A90FC3DD4EA5972
SHA-256:	8CA335310A2D10D06BF2B9E047AB49C397A4B488D5AEDF613981E64616F5D435
SHA-512:	1EC7A3973FB5B7D799B971DC09F7998C137E91D507ED671910FAA5FE5B9AD6DEAEEE0EFA3708A69251B7F5FE3663C24487FABF5C7108E888562215841EF58E22
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jce.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	116446
Entropy (8bit):	7.91403923609848
Encrypted:	false
MD5:	70EB04D21D1639B5D92165CD9D3940BA
SHA1:	D958ADAC5F1EDEFA22045A1409CCDEFF154779C1
SHA-256:	15C40DB7AB18423A7B653B64033D4639A8BA5F201C20232C6F5DCE0102887231
SHA-512:	2124AD54B1B10CBAF9E06BCC63CF8B2B8479B9787BE5CA94F425B0A506C3722A11C68A073718B9F57B6AC9B84CA87BA2838E843C0536FB0769BA64F2A2BD4B58
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jfr.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	560581
Entropy (8bit):	5.782521505507847
Encrypted:	false
MD5:	00B8F99C683AA917CCBC8DD63BCBE615
SHA1:	38B1368B316064384456E3099330250A35463895
SHA-256:	2389C1414D313A6E52C28400B723725734956802EA36F33CF4B13CEF999BA479
SHA-512:	0291C84CE822D2F69150700A1E181CD1B81B967F9753DFC7FB9DDE5BD6E8F7BC6DE25F34C5BAD20D8E5766144A4F2F9C7D0D010B4845967D948F222D4AB1AD7F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jfr\default.jfc
Process:	C:\Windows\System32\xcopy.exe
File Type:	XML document text
Size (bytes):	20109
Entropy (8bit):	4.57126785571291
Encrypted:	false
MD5:	41D5CD8DB1F75101304308A9EE3612FF
SHA1:	1A64B68D0E7D43F8149FABA94440BE54F4F24527
SHA-256:	0C8CD372C548E4DDCBB0FA8CD6FCA09D65EC312D784F495BE19BAF1BF06C57F3
SHA-512:	77D752A9C8ADC5C5D4F2AFAA158B0D105A172426CDD0F2D17EACDA5F6572CE4FD76CA6B142588BF8FCF69BB41FC1141F3808ECB40FD54F0F45944691D8CC2E2E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jfr\profile.jfc
Process:	C:\Windows\System32\xcopy.exe
File Type:	XML document text
Size (bytes):	20065
Entropy (8bit):	4.570942254721533
Encrypted:	false
MD5:	8B5C309810D64A8C62E7CDC6436F97A9
SHA1:	5D7D08A595F76322C51AE43EA966FBBA6B69EEBE
SHA-256:	F70E4C858A96603DE6C042EA796300C232953AAB17579FF4E7A47FE9FFE17C26
SHA-512:	D28DF53CD060853E2BC8EE7FC1384D2E2FA5B9C38D1C4AF19B9E13FE89E130262231C76CE656D4A7FBBBE4B893F3DCEC1D2BE56562A5BA65C4306673FBC49F0F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jfxswt.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	33932
Entropy (8bit):	7.929414760248561
Encrypted:	false
MD5:	85DB0655FB2C1E6507BAD6565C0B9C8F
SHA1:	0235AFE16246B4DA074CA594B5170B7619D3A999
SHA-256:	9CEAE78D8C3D7A82ACC950586F374401F935D18112B774544A12637E7E236379
SHA-512:	20FB85CCB5BFCE2F223C8D913A77B292FC335ACA925FE55EB57E1D404B6822006FEDEC1891D74733E312005C7C2F3C6ABE0CA34D2217EC710D1BB39EB65A23E4
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jsse.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	584576
Entropy (8bit):	6.067806313394739
Encrypted:	false
MD5:	FBFDB4EAB3BBC436ED8142A91D377BFC
SHA1:	9AA97EEAEE13B682D284CD190DD7DCA8B7A6C80B
SHA-256:	D168A4BE37D272948B4715A8B118EF6D69A63DC388B509DD81FE59F82DEF1764
SHA-512:	67FFCAD14881BF52651AD708FD967700956FA1DA22B0B0AB5E9DD8B5CEA3F7AA4EA39153D30E810BD8003027160EC5802F2C90B131C84A0FAF5C60F58271D583
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\jvm.hprof.txt
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	4226
Entropy (8bit):	4.708892688554675
Encrypted:	false
MD5:	C677FF69E70DC36A67C72A3D7EF84D28
SHA1:	FBD61D52534CDD0C15DF332114D469C65D001E33
SHA-256:	B055BF25B07E5AC70E99B897FB8152F288769065B5B84387362BB9CC2E6C9D38
SHA-512:	32D82DAEDBCA1988282A3BF67012970D0EE29B16A7E52C1242234D88E0F3ED8AF9FC9D6699924D19D066FD89A2100E4E8898AAC67675D4CD9831B19B975ED568
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\logging.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2455
Entropy (8bit):	4.470261330379311
Encrypted:	false
MD5:	809C50033F825EFF7FC70419AAF30317
SHA1:	89DA8094484891F9EC1FA40C6C8B61F94C5869D0
SHA-256:	CE1688FE641099954572EA856953035B5188E2CA228705001368250337B9B232
SHA-512:	C5AA71AD9E1D17472644EB43146EDF87CAA7BCCF0A39E102E31E6C081CD017E01B39645F55EE87F4EA3556376F7CAD3953CE3F3301B4B3AF265B7B4357B67A5C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management-agent.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	381
Entropy (8bit):	4.97049486762504
Encrypted:	false
MD5:	BA50C79FEDB5D6991B9C99478A8C25CA
SHA1:	D2A5561839B0EE035BA65FE9B5F51D2A49BC669D
SHA-256:	1BBFF8BA04979C2E7BD597AEC00ACD0069FEBD47B546B07B7A90F6907B6BDFAF
SHA-512:	35104A2CAEF4D073D83250B1BDE85E88F27B6864F1F7B153B302A2B8344D1F302587E95150E87CEF0C213CAADD877AF2B778AD3045AA572D9427081E89BBF7B7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management\jmxremote.access
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	3998
Entropy (8bit):	4.42020571745971
Encrypted:	false
MD5:	F63BEA1F4A31317F6F061D83215594DF
SHA1:	21200EAAD898BA4A2A8834A032EFB6616FABB930
SHA-256:	439158EB513525FEDA19E0E4153CCF36A08FE6A39C0C6CEEB9FCEE86899DD33C
SHA-512:	DE49913B8FA2593DC71FF8DAC85214A86DE891BEDEE0E4C5A70FCDD34E605F8C5C8483E2F1BDB06E1001F7A8CF3C86CAD9FA575DE1A4DC466E0C8FF5891A2773
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management\jmxremote.password.template
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2856
Entropy (8bit):	4.4922650877925445
Encrypted:	false
MD5:	7B46C291E7073C31D3CE0ADAE2F7554F
SHA1:	C1E0F01408BF20FBBB8B4810520C725F70050DB5
SHA-256:	3D83E336C9A24D09A16063EA1355885E07F7A176A37543463596B5DB8D82F8FA
SHA-512:	D91EEBC8F30EDCE1A7E16085EB1B18CFDDF0566EFAB174BBCA53DE453EE36DFECB747D401E787A4D15CC9798E090E19A8A0CF3FC8246116CE507D6B464068CDB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management\management.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	14630
Entropy (8bit):	4.568210341404396
Encrypted:	false
MD5:	5EDB0D3275263013F0981FF0DF96F87E
SHA1:	E0451D8D7D9E84D7B1C39EC7D00993307A5CBBF1
SHA-256:	3A923735D9C2062064CD8FD30FF8CCA84D0BC0AB5A8FAB80FDAD3155C0E3A380
SHA-512:	F31A3802665F9BB1A00A0F838B94AE4D9F1B9D6284FAF626EBE4F96819E24494771A1B8BFE655FD2DA202C5463D47BAE3B2391764E6F4C5867C0337AA21C87C1
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\management\snmp.acl.template
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	3376
Entropy (8bit):	4.371600962667749
Encrypted:	false
MD5:	71A7DE7DBE2977F6ECE75C904D430B62
SHA1:	2E9F9AC287274532EB1F0D1AFCEFD7F3E97CC794
SHA-256:	F1DC97DA5A5D220ED5D5B71110CE8200B16CAC50622B33790BB03E329C751CED
SHA-512:	3A46E2A4E8A78B190260AFE4EEB54E7D631DB50E6776F625861759C0E0BC9F113E8CD8D734A52327C28608715F6EB999A3684ABD83EE2970274CE04E56CA1527
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\meta-index
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	2126
Entropy (8bit):	4.970874214349508
Encrypted:	false
MD5:	91AA6EA7320140F30379F758D626E59D
SHA1:	3BE2FEBE28723B1033CCDAA110EAF59BBD6D1F96
SHA-256:	4AF21954CDF398D1EAE795B6886CA2581DAC9F2F1D41C98C6ED9B5DBC3E3C1D4
SHA-512:	03428803F1D644D89EB4C0DCBDEA93ACAAC366D35FC1356CCABF83473F4FEF7924EDB771E44C721103CEC22D94A179F092D1BFD1C0A62130F076EB82A826D7CB
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\net.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	4464
Entropy (8bit):	4.834345958771967
Encrypted:	false
MD5:	2FE77CD007D99DDE926A22094E333E0E
SHA1:	6587F43B93527DD17ABCD5699EB9682B6F08C09B
SHA-256:	16C93910B2785E7CBDDA90D5479AA9687148C2141AC0ADBD0277FDE284F6BBB3
SHA-512:	33D32B1C50BAFC4BCEE1D97D81176E3C9FF6B316536A7A88F76DB92781B4ACB716CC9FF75A97AB32F4469838B370A8DF54B2E2F5FE97F0873B8A44CD2B848FAA
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\plugin.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	1923211
Entropy (8bit):	6.07685889766579
Encrypted:	false
MD5:	067E9E379960F2DEF8C69BA425A8AC79
SHA1:	07313C482CABA3BBD3828FF0AF1D64F168E81022
SHA-256:	A4781B9E3D1B29E7B3E87D5663315CD67CB3B760533B9A213B9FC2C9AF21A5DA
SHA-512:	C5EDA18D94F72670C9969E1FBC3FF94059075B780E3AC1BAA892D2BF4AF2DCD7D2222E180E2C18A227DFEFC7002C32DFE80EEFF8B0907402856053E132D6D71B
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\psfont.properties.ja
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2796
Entropy (8bit):	5.182793663606789
Encrypted:	false
MD5:	7C5514B805B4A954BC55D67B44330C69
SHA1:	56ED1C661EEEDE17B4FAE8C9DE7B5EDBAD387ABC
SHA-256:	0C790DE696536165913685785EA8CBE1AC64ACF09E2C8D92D802083A6DA09393
SHA-512:	CCD4CB61C95DEFDCBA6A6A3F898C29A64CD5831A8AB50E0AFAC32ADB6A9E0C4A4BA37EB6DEE147830DA33AE0B2067473132C0B91A21D546A6528F42267A2C40E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\psfontj2d.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	10393
Entropy (8bit):	4.970762688893053
Encrypted:	false
MD5:	F8734590A1AEC97F6B22F08D1AD1B4BB
SHA1:	AA327A22A49967F4D74AFEEE6726F505F209692F
SHA-256:	7D51936FA3FD5812AE51F9F5657E0E70487DCA810B985607B6C5D6603F5E6C98
SHA-512:	72E62DC63DAA2591B48B2B774E2479B8861D159061B92FD3A0A06256295DA4D8B20DAFA77983FDBF6179F666F9FF6B3275F7A5BCF9555E638595230B9A42B177
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\resources.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	3492573
Entropy (8bit):	6.066908232283231
Encrypted:	false
MD5:	BE2ADFF28708FEA87E32F9E778BA47F4
SHA1:	9EFE013DF634999C9D166B900CEA8080857563D4
SHA-256:	9250B37A6366262960A3A39DF3ED766490B167C0015D06A34420118CE9654FFB
SHA-512:	EAFF1F24F237A6FE0EB33A61CBA857186F4321808DD7AA06C609822D1897E0442BC99E4E8E67044D046D7449E1B4C367288888285B9773DBF554547B06E38B0F
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\rt.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java Jar file data (zip)
Size (bytes):	54560347
Entropy (8bit):	6.043881711506345
Encrypted:	false
MD5:	46CE03C69E74B130D661D9BE8F9443B2
SHA1:	C6A7716A584A61741A949261D900D71C5B445D3D
SHA-256:	511A262A1A5363FB1349DD85B481C8CBDBE0D8741A83272D15A0623E077CC359
SHA-512:	EA6364C8A2C5731EBC81BBE000BC3E0D9951EC8E2CE9B8E02C68C9B6530AFF03A8F7BB58E0BDD48296295835ADF77410960210D87E6ECD0AE300CBC48652D653
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\US_export_policy.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	3026
Entropy (8bit):	7.489021280283832
Encrypted:	false
MD5:	EE4ED9C75A1AAA04DFD192382C57900C
SHA1:	7D69EA3B385BC067738520F1B5C549E1084BE285
SHA-256:	90012F900CF749A0E52A0775966EF575D390AD46388C49D512838983A554A870
SHA-512:	EAE6A23D2FD7002A55465844E662D7A5E3ED5A6A8BAF7317897E59A92A4B806DD26F2A19B7C05984745050B4FE3FFA30646A19C0F08451440E415F958204137C
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\blacklist
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	4054
Entropy (8bit):	5.791238368311067
Encrypted:	false
MD5:	B2C6EAE6382150192EA3912393747180
SHA1:	D4FFB3857EAB403955CE9D156E46D056061E6A5A
SHA-256:	6C73C877B36D4ABD086CB691959B180513AC5ABC0C87FE9070D2D5426D3DBF71
SHA-512:	898582C23F311F9F46825E7F8B6D36BED7255E5A4E2FA4B4452153B86EFBD88DB7E5B94DBD9CB9DB554F62B84D19F22AE9D81822B4896081C487FB50946A9A9A
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\blacklisted.certs
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1253
Entropy (8bit):	4.115037497545478
Encrypted:	false
MD5:	B9C358F9D668E86FDA8048982E741ACC
SHA1:	8870BEF548310B648EF044DB40C5EC609F896F0B
SHA-256:	DDD297102146AC7F6607B35C0E0B565975739A7841DA5E5A6207B6F4EBB2D822
SHA-512:	91CED5411767FBA041B950AD46F71A19F5DD48AF3D2199DA835D6CB9062AB80076A961D1F91856D74DBB0E037B092729D065204A74E113C914B33CD9B2F714B7
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\cacerts
Process:	C:\Windows\System32\xcopy.exe
File Type:	Java KeyStore
Size (bytes):	114923
Entropy (8bit):	7.589292184989746
Encrypted:	false
MD5:	03BA9BFEFF31A0E2EFDC294E950B16B6
SHA1:	3758FCB163CC48761984EAFBF310718BF0A7C99F
SHA-256:	9A366FE69F34C7C672FC5F25EE495FBD3403C4435604D34F5FCD89070CDF7C29
SHA-512:	80DB092B960207F5BAF85CC0B7ADC9349ED32F8B87ABE2C9F6952EE8C3481115528C8D0D6D6405BF3CCEF6265FCD9BEBE4346E7D8655EDB620CD6CC6D9FD6627
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\java.policy
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	2466
Entropy (8bit):	4.437992103838927
Encrypted:	false
MD5:	11340CD598A8517A0FD315A319716A08
SHA1:	C0112209A567B3B523CFED7041709F9440227968
SHA-256:	B8582889B0DF36065093C642ED0F9FA2A94CC0DC6FDE366980CFD818EC957250
SHA-512:	2B6DADC555EEB28DC1C553AB429F0CB9E3AD9AA64DFA2B62910769A935A1E6030A7FF0DDE2689F29C58D1B0720416D6B99FFA19BD23E6686EFB1547AFB7DCCFD
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\java.security
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with CRLF line terminators
Size (bytes):	36524
Entropy (8bit):	4.847597504983246
Encrypted:	false
MD5:	6DE3C3F9AAD0301642710DB5281B045F
SHA1:	80DDC0B2D3424519B0534705B52D18CD528942D8
SHA-256:	3E365B94E94DD81C9E97D6D15B3A3223D8F32000E3A82101CFB0AF4CE018EA20
SHA-512:	801BD5FF9E547B51A94D061D20543B774424A02F81CBA9894BE409D081CBA7BE4576D7EC09D1689E2DEFB9B18B11342DC1FED693CB5E560504A16D324307ABFF
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\javaws.policy
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	98
Entropy (8bit):	4.75309355004813
Encrypted:	false
MD5:	9107D028BD329DBFE4C1F19015ED6D80
SHA1:	4384CA5E4D32F7DD86D8BADDD1E690730D74E694
SHA-256:	B7A87D1F3F4B7BA1D19D0460FA4B63BD1093AFC514D67FE3C356247236326425
SHA-512:	81B14373B64CE14AF26B70D12D831E05158D5A4FA8CEC0508FEF8A6CA65B6F4EF73928F4B1E617C68DDEACFF9328A3D4433B041B7FB14DE248B1428C51DBC716
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\security\local_policy.jar
Process:	C:\Windows\System32\xcopy.exe
File Type:	Zip archive data, at least v2.0 to extract
Size (bytes):	3527
Entropy (8bit):	7.521709350514315
Encrypted:	false
MD5:	57AAAA3176DC28FC554EF0906D01041A
SHA1:	238B8826E110F58ACB2E1959773B0A577CD4D569
SHA-256:	B8BECC3EF2E7FF7D2165DD1A4E13B9C59FD626F20A26AF9A32277C1F4B5D5BC7
SHA-512:	8704B5E3665F28D1A0BC2A063F4BC07BA3C7CD8611E06C0D636A91D5EA55F63E85C6D2AD49E5D8ECE267D43CA3800B3CD09CF369841C94D30692EB715BB0098E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\sound.properties
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	1210
Entropy (8bit):	4.681309933800066
Encrypted:	false
MD5:	4F95242740BFB7B133B879597947A41E
SHA1:	9AFCEB218059D981D0FA9F07AAD3C5097CF41B0C
SHA-256:	299C2360B6155EB28990EC49CD21753F97E43442FE8FAB03E04F3E213DF43A66
SHA-512:	99FDD75B8CE71622F85F957AE52B85E6646763F7864B670E993DF0C2C77363EF9CFCE2727BADEE03503CDA41ABE6EB8A278142766BF66F00B4EB39D0D4FC4A87
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\tzdb.dat
Process:	C:\Windows\System32\xcopy.exe
File Type:	data
Size (bytes):	105500
Entropy (8bit):	7.11745524963606
Encrypted:	false
MD5:	4B31C64D61EAEF49B8140BBD5457A937
SHA1:	E75E1640369790825F5648BF4B7B761A5B54DCEE
SHA-256:	A46A8BF58BC55784FA07E23F01AD46C9CB161A02B6A7CD8E035BB718C92E758B
SHA-512:	ACDE7E2BD46CE5FBB85AB8B409D75E892C9BC5B451351C3EE0C37650779637AE1855A6877BAA61D52E812B2E3684D628EA4BA1497571211F08598B164CEBE5A3
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\lib\tzmappings
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text
Size (bytes):	8400
Entropy (8bit):	5.164879464727495
Encrypted:	false
MD5:	7D4ABBCFB06D083F349E27D7E6972F3C
SHA1:	EB91253590526F7BE7415839CCBF702683639C8C
SHA-256:	D936EE24810B747C54192B4B5A279F21179FE3CEB42D113D025A368EBB7CB5A7
SHA-512:	E5C2FBBC07CD53BAF14F3CC239B56B42B73DE47F9B7904AABF7D97695D2AB8866D0C8179235CBF022245949B9B8E419985E328AA5ED333B14B8B4DE2C82B225E
Malicious:	false

C:\Users\user\AppData\Roaming\Oracle\release
Process:	C:\Windows\System32\xcopy.exe
File Type:	ASCII text, with very long lines
Size (bytes):	527
Entropy (8bit):	5.375366002454992
Encrypted:	false
MD5:	620B703577E3B29BC96AD2E29B5FC3D9
SHA1:	8E3BB3263ABF06AFFBE7DBEF60BCE0AAF3572DB6
SHA-256:	CBB8798197881A14D4B50BAE7A27CC871972FE88AEE894CA0DEE7236EB427419
SHA-512:	26CD632EEE76343DEE5106EB09D38180E0CDB4B3474FF9C8518976791B40390794A213579690894C0EE7B9D2613ACADF2B2DE126C832822540651DE8A77E08A3
Malicious:	false

C:\Users\user\fUTkALeaTxM\ID.txt
Process:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
File Type:	ASCII text, with no line terminators
Size (bytes):	47
Entropy (8bit):	4.296728947874153
Encrypted:	false
MD5:	31C2974D557405725A57DFA9A04D095A
SHA1:	54A0F0D4155757DD1158783B1B75C76399E2A890
SHA-256:	C4B1006F39A0741754C786882DBE82DAD8C1BC8AE5C7A4331FA7B4DA479CDCF8
SHA-512:	8ED881BF73FE85A15B70112FA6337ACCFEC8ECA38AF9677C2863EFD23B18FDFD63C3360832B5703A2010A7E32F2FCAF13FDFD1AF981D14A63DEE5A39B8EFC00C
Malicious:	false

C:\Windows\System32\test.txt
Process:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
File Type:	ASCII text, with very long lines, with no line terminators
Size (bytes):	609
Entropy (8bit):	5.57954710878663
Encrypted:	false
MD5:	FAEDE056E997DBC917A6149B70FC696A
SHA1:	4CF79053AA373BEF688F357DAE65FE73CF28CC46
SHA-256:	8135DF03A47B0B215A25B493FF0FA85E7F96C649A439F716DCF1D32FCAB72916
SHA-512:	A3BE0A0C0DB9C7E57401600EC7166B6C6566337D282E052DB58DB443C87D9A43D24E0827617C05CAD9ABF10D7DEFE82B0FBF00EF5A412FF053D401AB3FAD026C
Malicious:	false

unknown
Process:	C:\Windows\System32\cmd.exe
File Type:	ASCII text, with CRLF, LF line terminators
Size (bytes):	407
Entropy (8bit):	5.449575216324193
Encrypted:	false
MD5:	92AFE4E853A91647BA3FE414AD7C5C35
SHA1:	B3B563240E144556A1ACD51EE401E54577026A53
SHA-256:	55511CC263E5C597E65FDEBE706C83FF2F9FB106E392C651D649502BEFDC6302
SHA-512:	D2CF26ADD376D2F03A27384E53345604613D6882018C6E219F7945E132A7AA016A73566D624F2106682397078364E80636F1CD8C5604FCEA9DF00C6E12EC4545
Malicious:	true

Contacted Domains/Contacted IPs

Contacted Domains

Name	IP	Active	Malicious	Antivirus Detection	Reputation
vvrhhhnaijyj6s2m.onion.top	unknown	unknown	true	13%, virustotal, Browse	unknown

Contacted IPs

No. of IPs < 25%
25% < No. of IPs < 50%
50% < No. of IPs < 75%
75% < No. of IPs

IP	Country	Flag	ASN	ASN Name	Malicious
8.8.8.8	United States		15169	GOOGLE-GoogleIncUS	false
127.0.0.1	unknown		unknown	unknown	false

Static File Info

General
File type:	Java Jar file data (zip)
Entropy (8bit):	7.980202922928101
TrID:	Java Archive (13504/1) 77.13% ZIP compressed archive (4004/1) 22.87%
File name:	NEW ORDER .LIST 105.jar
File size:	538305
MD5:	1f2d4f13b41e3ffc74633e398d193658
SHA1:	570b541a4a02d038365e6831da65013d2536e15d
SHA256:	031daa275ae5c3ec2a103e0484d496acb3237173d57c8772197e7547d09c97cd
SHA512:	59cffce103026cda1e4420cbfc4608e42cc75a0e2e5fd6abc02b563c60ca8ad9cf62acc3a0efb5d43d13dd27830ef4d124ffba2d2124512d70a9c32ae3ea45ea
File Content Preview:	PK..........SL................META-INF/MANIFEST.MF....MM=..0.....o.!...d.... .&......$Q..7..p.}q.....$....NBY.8[.?g5`..d/..w\|.U..f....8QY....Zh.Pk....{L.EkGh2..j.>]...I.,.a"-.........K...[KP.0.....r........}.....+....v.2....PK.....-........PK..........SL.

File Icon

Network Behavior

Network Port Distribution

TCP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2018 09:12:36.905682087 CEST	56842	53	192.168.2.2	8.8.8.8
Apr 4, 2018 09:12:37.902277946 CEST	56842	53	192.168.2.2	8.8.8.8
Apr 4, 2018 09:12:38.903179884 CEST	56842	53	192.168.2.2	8.8.8.8
Apr 4, 2018 09:12:40.906516075 CEST	56842	53	192.168.2.2	8.8.8.8
Apr 4, 2018 09:12:44.912174940 CEST	56842	53	192.168.2.2	8.8.8.8

UDP Packets

Timestamp	Source Port	Dest Port	Source IP	Dest IP
Apr 4, 2018 09:12:36.905682087 CEST	56842	53	192.168.2.2	8.8.8.8
Apr 4, 2018 09:12:37.902277946 CEST	56842	53	192.168.2.2	8.8.8.8
Apr 4, 2018 09:12:38.903179884 CEST	56842	53	192.168.2.2	8.8.8.8
Apr 4, 2018 09:12:40.906516075 CEST	56842	53	192.168.2.2	8.8.8.8
Apr 4, 2018 09:12:44.912174940 CEST	56842	53	192.168.2.2	8.8.8.8

DNS Queries

Timestamp	Source IP	Dest IP	Trans ID	OP Code	Name	Type	Class
Apr 4, 2018 09:12:36.905682087 CEST	192.168.2.2	8.8.8.8	0xe064	Standard query (0)	vvrhhhnaijyj6s2m.onion.top	A (IP address)	IN (0x0001)
Apr 4, 2018 09:12:37.902277946 CEST	192.168.2.2	8.8.8.8	0xe064	Standard query (0)	vvrhhhnaijyj6s2m.onion.top	A (IP address)	IN (0x0001)
Apr 4, 2018 09:12:38.903179884 CEST	192.168.2.2	8.8.8.8	0xe064	Standard query (0)	vvrhhhnaijyj6s2m.onion.top	A (IP address)	IN (0x0001)
Apr 4, 2018 09:12:40.906516075 CEST	192.168.2.2	8.8.8.8	0xe064	Standard query (0)	vvrhhhnaijyj6s2m.onion.top	A (IP address)	IN (0x0001)
Apr 4, 2018 09:12:44.912174940 CEST	192.168.2.2	8.8.8.8	0xe064	Standard query (0)	vvrhhhnaijyj6s2m.onion.top	A (IP address)	IN (0x0001)

Code Manipulations

Statistics

CPU Usage

Click to jump to process

Memory Usage

Click to jump to process

High Level Behavior Distribution

Click to dive into process behavior distribution

Behavior

Click to jump to process

System Behavior

Analysis Process: cmd.exe PID: 3348 Parent PID: 2024

General

Start time:	09:12:42
Start date:	04/04/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	C:\Windows\system32\cmd.exe /c ''C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -javaagent:'C:\Users\HERBBL~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\NEW ORDER .LIST 105.jar'' >> C:\cmdlinestart.log 2>&1
Imagebase:	0x4a680000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	Java
Reputation:	high

Chronological Activities

Analysis Process: java.exe PID: 3376 Parent PID: 3348

General

Start time:	09:12:42
Start date:	04/04/2018
Path:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -javaagent:'C:\Users\HERBBL~1\AppData\Local\Temp\jartracer.jar' -jar 'C:\Users\user\Desktop\NEW ORDER .LIST 105.jar'
Imagebase:	0x11a0000
File size:	191040 bytes
MD5 hash:	02E26F23B34336225FB5E33DB36BF08C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: java.exe PID: 3480 Parent PID: 3376

General

Start time:	09:13:12
Start date:	04/04/2018
Path:	C:\Program Files\Java\jre1.8.0_144\bin\java.exe
Wow64 process (32bit):	false
Commandline:	'C:\Program Files\Java\jre1.8.0_144\bin\java.exe' -jar C:\Users\HERBBL~1\AppData\Local\Temp\_0.371006104568627153520436261509485928.class
Imagebase:	0x11a0000
File size:	191040 bytes
MD5 hash:	02E26F23B34336225FB5E33DB36BF08C
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3564 Parent PID: 3480

General

Start time:	09:13:18
Start date:	04/04/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs
Imagebase:	0x4a680000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 3600 Parent PID: 3564

General

Start time:	09:13:18
Start date:	04/04/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive7023066548171428146.vbs
Imagebase:	0xf80000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3608 Parent PID: 3376

General

Start time:	09:13:19
Start date:	04/04/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs
Imagebase:	0x4a680000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 3628 Parent PID: 3608

General

Start time:	09:13:19
Start date:	04/04/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive6788100484249657707.vbs
Imagebase:	0xf80000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3728 Parent PID: 3480

General

Start time:	09:13:20
Start date:	04/04/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs
Imagebase:	0x4a680000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 3752 Parent PID: 3728

General

Start time:	09:13:21
Start date:	04/04/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1116934492945913819.vbs
Imagebase:	0xbc0000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3760 Parent PID: 3376

General

Start time:	09:13:21
Start date:	04/04/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe /C cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs
Imagebase:	0x4a680000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Analysis Process: cscript.exe PID: 3816 Parent PID: 3760

General

Start time:	09:13:21
Start date:	04/04/2018
Path:	C:\Windows\System32\cscript.exe
Wow64 process (32bit):	false
Commandline:	cscript.exe C:\Users\HERBBL~1\AppData\Local\Temp\Retrive1876200895814508168.vbs
Imagebase:	0xbc0000
File size:	126976 bytes
MD5 hash:	A3A35EE79C64A640152B3113E6E254E2
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: xcopy.exe PID: 3860 Parent PID: 3480

General

Start time:	09:13:23
Start date:	04/04/2018
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Imagebase:	0x530000
File size:	36864 bytes
MD5 hash:	361D273773994ED11A6F1E51BBB4277E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: xcopy.exe PID: 3876 Parent PID: 3376

General

Start time:	09:13:23
Start date:	04/04/2018
Path:	C:\Windows\System32\xcopy.exe
Wow64 process (32bit):	false
Commandline:	xcopy 'C:\Program Files\Java\jre1.8.0_144' 'C:\Users\user\AppData\Roaming\Oracle\' /e
Imagebase:	0x530000
File size:	36864 bytes
MD5 hash:	361D273773994ED11A6F1E51BBB4277E
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	moderate

Chronological Activities

Analysis Process: cmd.exe PID: 3908 Parent PID: 3480

General

Start time:	09:13:34
Start date:	04/04/2018
Path:	C:\Windows\System32\cmd.exe
Wow64 process (32bit):	false
Commandline:	cmd.exe
Imagebase:	0x4a680000
File size:	302592 bytes
MD5 hash:	AD7B9C14083B52BC532FBA5948342B98
Has administrator privileges:	true
Programmed in:	C, C++ or other language
Reputation:	high

Chronological Activities

Disassembly

Code Analysis

Reset < >

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading ...

Warning!

Analysis Report

Overview

General Information

Detection

Confidence

Classification

Analysis Advice

Signature Overview

AV Detection:

Software Vulnerabilities:

Networking:

Remote Access Functionality:

Persistence and Installation Behavior:

Data Obfuscation:

System Summary:

HIPS / PFW / Operating System Protection Evasion:

Anti Debugging:

Malware Analysis System Evasion:

Hooking and other Techniques for Hiding and Protection:

Lowering of HIPS / PFW / Operating System Security Settings:

Language, Device and Operating System Detection:

Behavior Graph

Simulations

Behavior and APIs

Antivirus Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

Yara Overview

Initial Sample

PCAP (Network Traffic)

Dropped Files

Memory Dumps

Unpacked PEs

Joe Sandbox View / Context

IPs

Domains

ASN

Dropped Files

Screenshots

Startup

Created / dropped Files

Contacted Domains/Contacted IPs

Contacted Domains

Contacted IPs

Static File Info

General

File Icon

Network Behavior

Network Port Distribution

TCP Packets

UDP Packets

DNS Queries

Code Manipulations

Statistics

CPU Usage

Memory Usage

High Level Behavior Distribution

back

Behavior

System Behavior

Analysis Process: cmd.exe PID: 3348 Parent PID: 2024

General

Analysis Process: java.exe PID: 3376 Parent PID: 3348

General

Analysis Process: java.exe PID: 3480 Parent PID: 3376

General

Analysis Process: cmd.exe PID: 3564 Parent PID: 3480

General

Analysis Process: cscript.exe PID: 3600 Parent PID: 3564

General

Analysis Process: cmd.exe PID: 3608 Parent PID: 3376